arX

iv:1

901.

0024

0v1

[cs

.CR

] 2

Jan

201

9

Accountable Tracing Signatures from Lattices

San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu

Division of Mathematical Sciences,School of Physical and Mathematical Sciences,Nanyang Technological University, Singapore.

{lingsan,khoantt,hxwang,xu0014ng}@ntu.edu.sg

Abstract. Group signatures allow users of a group to sign messagesanonymously in the name of the group, while incorporating a tracingmechanism to revoke anonymity and identify the signer of any message.Since its introduction by Chaum and van Heyst (EUROCRYPT 1991),numerous proposals have been put forward, yielding various improve-ments on security, efficiency and functionality. However, a drawback oftraditional group signatures is that the opening authority is given toomuch power, i.e., he can indiscriminately revoke anonymity and thereis no mechanism to keep him accountable. To overcome this problem,Kohlweiss and Miers (PoPET 2015) introduced the notion of accountabletracing signatures (ATS) - an enhanced group signature variant in whichthe opening authority is kept accountable for his actions. Kohlweiss andMiers demonstrated a generic construction of ATS and put forward a con-crete instantiation based on number-theoretic assumptions. To the bestof our knowledge, no other ATS scheme has been known, and the prob-lem of instantiating ATS under post-quantum assumptions, e.g., lattices,remains open to date.

In this work, we provide the first lattice-based accountable tracing sig-nature scheme. The scheme satisfies the security requirements suggestedby Kohlweiss and Miers, assuming the hardness of the Ring Short IntegerSolution (RSIS) and the Ring Learning With Errors (RLWE) problems.At the heart of our construction are a lattice-based key-oblivious encryp-tion scheme and a zero-knowledge argument system allowing to provethat a given ciphertext is a valid RLWE encryption under some hiddenyet certified key. These technical building blocks may be of independentinterest, e.g., they can be useful for the design of other lattice-basedprivacy-preserving protocols.

1 Introduction

Group signature is a fundamental cryptographic primitive introduced by Chaumand van Heyst [13]. It allows members of a group to anonymously sign messageson behalf of the group, but to prevent abuse of anonymity, there is an open-ing authority (OA) who can identify the signer of any message. While such atracing mechanism is necessary to ensure user accountability, it grants too muchpower to the opening authority. Indeed, in traditional models of group signatures,

e.g., [2,23,7,3,24,54,8], the OA can break users’ anonymity whenever he wants,and we do not have any method to verify whether this trust is well placed ornot.

One existing attempt to restrict the OA’s power is the proposal of groupsignatures with message-dependent opening (MDO) [53], in which the OA canonly identify the signers of messages admitted by an additional authority namedadmitter. However, this solution is still unsatisfactory. Once the OA has obtainedadmission to open a specific message, he can identify all the users, includingsome innocent ones, who have ever issued signatures on this specific message.Furthermore, by colluding with the admitter, the OA again is able to open allsignatures.

To tackle the discussed above problem, Kohlweiss and Miers [25] put for-ward the notion of accountable tracing signatures (ATS), which is an enhancedvariant of group signatures that has an additional mechanism to make the OA

accountable. In an ATS scheme, the role of the OA is incorporated into thatof the group manager (GM), and there are two kinds of group users: traceableones and non-traceable ones. Traceable users are treated as in traditional groupsignatures, i.e., their anonymity can be broken by the OA/GM. Meanwhile, itis infeasible for anyone, including the OA/GM, to trace signatures generatedby non-traceable users. When a user joins the group, the OA/GM first has todetermine whether this user is traceable and then he issues a corresponding(traceable/nontraceable) certificate to the user. In a later phase, the OA/GM

reveals which user he deems traceable using an “accounting” algorithm, yieldingan intriguing method to enforce his accountability.

As an example, let us consider the surveillance controls of a building, whichis implemented using an ATS scheme. On the one hand, the customers in thisbuilding would like to have their privacy protected as much as possible. On theother hand, the police who are conducting security check in this building wouldlike to know as much as they can. To balance the interests of these two parties,the police can in advance narrow down some suspects and asks the OA/GM tomake these suspected users traceable and the remaining non-suspected usersnon-traceable. To check whether the suspects entered the building, the policecan ask the OA/GM to open all signatures that were used for authentication atthe entrance. Since only the suspects are traceable, the group manager can onlyidentify them if they indeed entered this building. However, if a standard groupsignature scheme (e.g., [1,2,6,3]) were used, then the privacy of innocent userswould be seriously violated. In this situation, one might think that a traceablesignature scheme, as suggested by Kiayias, Tsiounis and Yung [23], would work.By requesting a user-specific trapdoor from the OA/GM, the police can trace allthe signatures created by the suspects. However, this only achieves privacy ofinnocent users against the police, but not against the group authorities. In fact,in a traceable signature scheme, the OA/GM has the full power to identify thesigners of all signatures and hence can violate the privacy of all users withoutbeing detected. In contrast, if an ATS scheme is used, then the OA/GM mustlater reveal which user he chose to be traceable, thus enabling his accountability.

2

In [25], besides demonstrating the feasibility of ATS under generic assump-tions, Kohlweiss and Miers also presented an instantiation based on number-theoretic assumptions, which remains the only known concrete ATS construc-tion to date. This scheme, however, is vulnerable against quantum computersdue to Shor’s algorithm [55]. For the sake of not putting all eggs in one basket,it is therefore tempting to build schemes based on post-quantum foundations. Inthis paper, we investigate the design of accountable tracing signatures based onlattice assumptions, which are currently among the most viable foundations forpost-quantum cryptography. Let us now take a look at the closely related andrecently active topic of lattice-based group signatures.

Lattice-based group signatures. The first lattice-based group signaturescheme was introduced by Gordon, Katz and Vaikuntanathan in 2010 [20]. Sub-sequently, numerous schemes offering improvements in terms of security andefficiency have been proposed [12,26,34,48,30,28,9,51]. Nevertheless, regardingthe supports of advanced functionalities, lattice-based group signatures are stillway behind their number-theoretic-based counterparts. Indeed, there have beenknown only a few lattice-based schemes [32,31,28,35,36] that depart from theBMW model [2] - which deals solely with static groups and which may be tooinflexible to be considered for a wide range of real-life applications. In partic-ular, although there was an attempt [31] to restrict the power of the OA inthe MDO sense, the problem of making the OA accountable in the context oflattice-based group signatures is still open. This somewhat unsatisfactory state-of-affairs motivates our search for a lattice-based instantiation of ATS. As wewill discuss below, the technical road towards our goal is not straightforward:there are challenges and missing building blocks along the way.

Our Results and Techniques. In this paper, we introduce the first lattice-based accountable tracing signature scheme. The scheme satisfies the securityrequirements suggested by Kohlweiss and Miers [25], assuming the hardness ofthe Ring Short Integer Solution (RSIS) problem and the Ring Learning WithErrors (RLWE) problem. As all other known lattice-based group signatures, thesecurity of our scheme is analyzed in the random oracle model. For a securityparameter λ, our ATS scheme features group public key size and user secretkey size O(λ). However, the accountability of the OA/GM comes at a price: the

signature size is of order O(λ2) compared with O(λ) in a recent scheme by Linget al. [36].

Let us now give an overview of our techniques. First, we recall that in an or-dinary group signature scheme [2,3], to enable traceability, the user is supposedto encrypt his identifying information and prove the well-formedness of the re-sulting ciphertext. In an ATS scheme, however, not all users are traceable. Wethus would need a mechanism to distinguish between traceable users and non-traceable ones. A possible method is to let traceable users encrypt their identitiesunder a public key (pk) such that only the OA/GM knows the underlying secretkey (sk), while for non-traceable users, no one knows the secret key. However,there seems to be no incentive for users to deliberately make themselves trace-able. We hence should think of a way to choose traceable users obliviously. An

3

interesting approach is to randomize pk to a new public key epk so that it is in-feasible to decide how these keys are related without the knowledge of the secretkey and the used randomness. More specifically, when a user joins the group, theOA/GM first randomizes pk to epk and sends the latter to the user together witha certificate. The difference between traceable users and non-traceable ones liesin whether OA/GM knows the underlying secret key. Thanks to the oblivious-ness property of the randomization, the users are unaware of whether they aretraceable. Then, when signing messages, the user encrypts his identity using hisown randomized key epk (note that this “public key” should be kept secret) andproves the well-formedness of the ciphertext. Several questions regarding thisapproach then arise. What special kind of encryption scheme should we use?How to randomize the public key in order to get the desirable obliviousness?More importantly, how could the user prove the honest execution of encryptionif the underlying encryption key is secret?

To address the first two questions, Kohlweiss and Miers [25] proposed thenotion of key-oblivious encryption (KOE) - a public-key encryption scheme inwhich one can randomize public keys in an oblivious manner. Kohlweiss andMiers showed that a KOE scheme can be built from a key-private homomorphicpublic-key encryption scheme. They then gave an explicit construction based onthe ElGamal cryptosystem [18], where epk is obtained by multiplying pk by a ci-phertext of 1. When adapting this idea into the lattice setting, however, one hasto be careful. In fact, we observe that an implicit condition for the underlyingkey-private public-key encryption scheme is that its public key and ciphertextshould have the same algebraic form1, which is often not the case for the schemesin the lattice setting, e.g., [52,19]. Furthermore, lattice-based encryption schemesfrom the Learning with Errors (LWE) problem or its ring version RLWE ofteninvolve noise terms that grow quickly when one performs homomorphic opera-tions over ciphertexts. Fortunately, we could identify a suitable candidate: theRLWE-based encryption scheme proposed by Lyubashevsky, Peiker and Regev(LPR) [43], for which both the public key and the ciphertext consist of a pairof ring elements. Setting the parameters carefully to control the noise growthin LPR, we are able to adapt the blueprint of [25] into the lattice setting andobtain a lattice-based KOE scheme.

To tackle the third question, we need a zero-knowledge (ZK) protocol forproving well-formedness of the ciphertext under a hidden encryption key, whichis quite challenging to build in the RLWE setting. Existing ZK protocols fromlattices belong to two main families. One line of research [37,38,4,5,41,44] de-signed very elegant approximate ZK proofs for (R)LWE and (R)SIS relationsby employing rejection sampling techniques. While these proofs are quite ef-ficient and compact, they only handle linear relations. In other words, theycan only prove knowledge of a short vector x satisfying y = A · x mod q, forpublic A and public y. This seems insufficient for our purpose. Another lineof research [33,34,14,30,29,36] developed decomposition/ extension/permutation

1 This condition is needed so that epk can be computed as pk · enc(1) (multiplicativehomomorphic) or pk + enc(0) (additive homomorphic).

4

techniques that operate in Stern’s framework [57]. Although Stern-like protocolsare less practical than those in the first family, they are much more versatileand can even deal with quadratic relations [29]. More precisely, as demon-strated by Libert et al. [29] one can employ Stern-like techniques to proveknowledge of secret-and-certified A together with short secret vector x satis-fying y = A · x mod q. Thus, Libert et al.’s work appears to be the “right”stepping stone for our case. However, in [29], quadratic relations were consid-ered only in the setting of general lattices, while here we have to deal with thering setting, for which the multiplication operation is harder to express, captureand prove in zero-knowledge. Nevertheless we manage to adapt their techniquesinto the ring lattices and obtain the desired technical building block.

As discussed so far, we have identified the necessary ingredients - the LPRencryption scheme and Stern-like ZK protocols - for upgrading a lattice-basedordinary group signature to a lattice-based accountable tracing signature. Next,we need to find a lattice-based ordinary group signature scheme that is compati-ble with the those ingredients. To this end, we work with Ling et al.’s scheme [36],that also employs the LPR system for its tracing layer and Stern-like techniquesfor proving knowledge of a valid user certificate (which is a Ducas-Miccianciosignature [15,16] based on the hardness of the Ring Short Integer Solution (RSIS)problem). We note that the scheme from [36] achieves constant-size signatures,which means that the signature size is independent of the number of users. Asa by-product, our signatures are also constant-size (although our constant islarger, due to the treatment of quadratic relations).

A remaining aspect is how to enable the accountability of the OA/GM. Tothis end, we let the latter reveal the choice (either traceable or non-traceable) fora given user together with the randomness used to obtain the randomized publickey. The user then checks whether his epk was computed as claimed. However,the OA/GM may claim a traceable user to be non-traceable by giving awaymalicious randomness and accusing that the user had changed epk by himself. Toensure non-repudiation, OA/GM is required to sign epk and the users’ identifyinginformation when registering the user into the group. This mechanism in factalso prevents dishonest users from choosing non-traceable epk by themselves.

The obtained ATS scheme is then proven secure in the random oracle modelunder the RSIS and RLWE assumptions, according to the security requirementsput forward by Kohlweiss and Miers [25]. On the efficiency front, as all knownlattice-based group signatures with advanced functionalities, our scheme is stillfar from being practical. We, however, hope that our result will inspire moreefficient constructions in the near future.

Organization. In Section 2, we recall some background materials. In Section 3,we describe our key-oblivious encryption scheme from lattice assumptions. Ouraccountable tracing signature scheme is presented in Section 5.

5

2 Background

Notations. For a positive integer n, define the set {1, 2, . . . , n} as [n], the set{0, 1, . . . , n} as [0, n], and the set containing all the integers from −n to n as[−n, n]. Denote the set of all positive integers as Z

+. If S is a finite set, then

x$←− S means that x is chosen uniformly at random from S. Let a ∈ R

m1 andb ∈ R

m2 be two vectors for positive integers m1,m2. Denote (a‖b) ∈ Rm1+m2 ,

instead of (a⊤,b⊤)⊤, as the concatenation of these two vectors.

2.1 Rings, RSIS and RLWE

Let q ≥ 3 be a positive integer and let Zq = [− q−12 , q−1

2 ]. In this work, let usconsider rings R = Z[X ]/(Xn + 1) and Rq = (R/qR), where n is a power of 2.

Let τ be the coefficient embedding τ : Rq → Znq that maps a ring element

v = v0 +v1 ·X+. . .+vn−1 ·Xn−1 ∈ Rq to a vector τ(v) = (v0, v1, . . . , vn−1)⊤ overZ

nq . Define the ring homomorphism rot : Rq → Z

n×nq that maps a ring element

a ∈ Rq to a matrix rot(a) =[τ(a) | τ(a ·X) | · · · | τ(a ·Xn−1)

]over Z

n×nq (see,

e.g., [45,58]). Using these two functions, the element product y = a · v over Rq

can be interpreted as the matrix-vector multiplication τ(y) = rot(a) · τ(v) overZq.

When working with vectors and matrices overRq, we generalize the notationsτ and rot in the following way. For a vector v = (v1, . . . , vm)⊤ ∈ Rm

q , defineτ(v) = (τ(v1)‖ · · · ‖τ(vm)) ∈ Z

mnq . For a matrix A = [a1 | · · · | am] ∈ R1×m

q ,define rot(A) to be the matrix

rot(A) =[rot(a1) | · · · | rot(am)

]∈ Z

n×mnq .

Using the generalized notations, we can interpret y = A · v over Rq as matrix-vector multiplication τ(y) = rot(A) · τ(v) over Zq.

For a = a0 + a1 ·X + . . .+ an−1 ·XN−1 ∈ R, we define ‖a‖∞ = maxi(|ai|).Similarly, for vector b = (b1, . . . , bm)⊤ ∈ Rm, we define ‖b‖∞ = maxj(‖bj‖∞).

We now recall the average-case problems RSIS and RLWE associated with therings R,Rq, as well as their hardness results.

Definition 1 ([39,50,40]). Given a uniform matrix A = [a1|a2| · · · |am] overR1×m

q , the RSIS∞n,m,q,β problem asks to find a ring vector b = (b1, b2, . . . , bm)⊤

over Rm such that A · b = a1 · b1 + a2 · b2 + · · · + am · bm = 0 over Rq and0 < ‖b‖∞ ≤ β.

For polynomial bounded m,β and q ≥ β · O(√n), it was proven that the

RSIS∞n,m,q,β problem is no easier than the SIVPγ problem in any ideal in the ring

R, where γ = β · O(√nm) (see [39,50,27]).

Definition 2 ([42,56,43]). For positive integers n,m, q ≥ 2 and a probability

distribution χ over the ring R, define a distribution As,χ over Rq×Rq for s$←− Rq

in the following way: it first samples a uniformly random element a ∈ Rq, an

6

error element e ← χ, and then outputs (a, a·s+e). The target of the RLWEn,m,q,χ

problem is to distinguish m samples chosen from a uniform distribution over

Rq ×Rq and m samples chosen from the distribution As,χ for s$←− Rq.

Let q ≥ 2 and B = O(√n) be positive integers. χ is a distribution over R which

efficiently outputs samples e ∈ R with ‖e‖∞ ≤ B with overwhelming probabilityin n. Then there is a quantum reduction from the RLWEn,m,q,χ problem tothe SIVPγ problem and the SVPγ problem in any ideal in the ring R, where

γ = O(√n · q/B) (see [42,10,27,49]). It is shown that the hardness of the RLWE

problem is preserved when the secret s is sampled from the error distribution χ(see [42,10]).

2.2 Decompositions

We now recall the integer decomposition technique from [33]. For any pos-itive integer B, let δB := ⌊log2 B⌋ + 1 = ⌈log2(B + 1)⌉ and the sequence

B1, . . . , BδB, where Bj = ⌊B+2j−1

2j ⌋, for any j ∈ [δB]. It is then verifiable that∑δB

j=1 Bj = B. In addition, for any integer a ∈ [0, B], one can decompose a

into a vector of the form idecB(a) = (a(1), a(2), . . . , a(δB))⊤ ∈ {0, 1}δB , satis-fying (B1, B2, . . . , BδB

) · idecB(a) = a. The procedure of the decomposition ispresented below in a deterministic manner.

1. a′ := a2. For j = 1 to δB do:

(i) If a′ ≥ Bj then a(j) := 1, else a(j) := 0;(ii) a′ := a′ −Bj · a(j).

3. Output idecB(a) = (a(1), . . . , a(δB))⊤.

In [36], the above decomposition procedure is also utilized to deal with poly-nomials in the ring Rq. Specifically, for B ∈ [1, q−1

2 ], define the injective functionrdecB that maps a ∈ Rq with ‖a‖∞ ≤ B to a ∈ RδB with ‖a‖∞ ≤ 1, whichworks as follows.

1. Let τ(a) = (a0, . . . , an−1)⊤. For each i, let σ(ai) = 0 if ai = 0; σ(ai) = −1 ifai < 0; and σ(ai) = 1 if ai > 0.

2. ∀i, compute wi = σ(ai) · idecB(|ai|) = (wi,1, . . . , wi,δB)⊤ ∈ {−1, 0, 1}δB .

3. Form the vector w = (w0‖ . . . ‖wn−1) ∈ {−1, 0, 1}nδB , and let a ∈ RδB bethe vector such that τ(a) = w.

4. Output rdecB(a) = a.

To deal with ring vectors of dimension m ∈ Z+ and of infinity bound B ∈

Z+, we generalize the notion rdecB(v) in the following way: it maps a ring

vector v = (v1, . . . , vm)⊤ ∈ Rmq such that ‖v‖∞ ≤ B to a vector rdecB(v) =(

rdecB(v1)‖ . . . ‖rdecB(vm))∈ RmδB , whose coefficients are in the set {−1, 0, 1}.

7

Now, ∀m,B ∈ Z+, we define matrices HB ∈ Z

n×nδB and Hm,B ∈ Znm×nmδB as

HB =

B1 . . . BδB

. . .

B1 . . . BδB

, and Hm,B =

HB

. . .

HB

.

Then we have

τ(a) = HB · τ(rdecB(a)) mod q and τ(v) = Hm,B · τ(rdecB(v)).

For simplicity reason, when B = q−12 , we will use the notation rdec instead

of rdec q−1

2

, and H instead of H q−1

2

.

2.3 A Variant of the Ducas-Micciancio Signature scheme

We recall the stateful and adaptively secure version of Ducas-Micciancio signa-ture scheme [15,16], which is used to enroll new users in our construction.

Following [15,16], throughout this work, for any real constants c > 1 andα0 ≥ 1

c−1 , define a series of sets Tj = {0, 1}cj of lengths cj = ⌊α0cj⌋ for j ∈ [d],

where d ≥ logc(ω(log n)). For each tag t = (t0, t1, . . . , tcj)⊤ ∈ Tj for j ∈ [d],

associate it with a ring element t(X) =∑cj

k=0 tk ·Xk ∈ Rq. Let c0 = 0 and then

define t[i](X) =∑ci−1

k=ci−1tk · Xk and t[i] = (tci−1

, . . . , tci−1)⊤ for i ∈ [j]. Then

one can check t = (t[1]‖t[2]‖ · · · ‖t[j]) and t(X) =∑j

i=1 t[i](X).

This variant works with the following parameters.

– Let n,m, q, k be some positive integers such that n ≥ 4 is a power of 2,m ≥ 2⌈log q⌉ + 2, and q = 3k. Define the rings R = Z[X ]/(Xn + 1) andRq = R/qR.

– Let the message dimension be ms = poly(n). Also, let ℓ = ⌊log q−12 ⌋+1, and

m = m+ k and ms = ms · ℓ.– Let integer β = O(n) and integer d and sequence c0, . . . , cd be as above.– Let S ∈ Z be a state that is 0 initially.

The public verification key consists of the following:

A,F0 ∈ R1×mq ; A[0], . . . ,A[d] ∈ R1×k

q ; F ∈ R1×ℓq ; F1 ∈ R1×ms

q ; u ∈ Rq

while the secret signing key is a Micciancio-Peikert [46] trapdoor matrix R ∈Rm×k

q .When signing a message m ∈ Rms

q , the signer first computes m = rdec(m) ∈Rms , whose coefficients are in the set {−1, 0, 1}. He then performs the followingsteps.

– Set the tag t = (t0, t1 . . . , tcd−1)⊤ ∈ Td, where S =∑cd−1

j=0 2j ·tj, and compute

At = [A|A[0] +∑d

i=1 t[i]A[i]] ∈ R1×(m+k)q . Update S to S + 1.

8

– Choose r ∈ Rm with ‖r‖∞ ≤ β.

– Let y = F0 · r + F1 ·m ∈ Rq and up = F · rdec(y) + u ∈ Rq.– Employing the trapdoor matrix R, produce a ring vector v ∈ Rm+k with

At · v = up over the ring Rq and ‖v‖∞ ≤ β.– Return the tuple (t, r,v) as a signature for the message m.

To check the validity of the tuple (t, r,v) with respect to message m ∈ Rmsq ,

the verifier first computes the matrix At as above and verifies the followingconditions:

{At · v = F · rdec(F0 · r + F1 · rdec(m)) + u,

‖r‖∞ ≤ β, ‖v‖∞ ≤ β.

He outputs 1 if all these three conditions hold and 0 otherwise.

Lemma 1 ([15,16]). Given at most polynomially bounded number of signaturequeries, the above variant is existentially unforgeable against adaptive chosenmessage attacks assuming the hardness of the RSIS

n,m,q,O(n2)problem.

2.4 Zero-Knowledge Argument of Knowledge

We will work with statistical zero-knowledge argument systems, namely, in-teractive protocols where the ZK property holds against any cheating verifier,while the soundness property only holds against computationally bounded cheat-ing provers. More formally, let the set of statements-witnesses R = {(y, w)} ∈{0, 1}∗×{0, 1}∗ be an NP relation. A two-party game 〈P ,V〉 is called an interac-tive argument system for the relation R with soundness error e if the followingtwo conditions hold:

– Completeness. If (y, w) ∈ R then Pr[〈P(y, w),V(y)〉 = 1

]= 1.

– Soundness. If (y, w) 6∈ R, then ∀ PPT P : Pr[〈P(y, w),V(y)〉 = 1] ≤ e.

An argument system is called statistical ZK if for any V(y), there exists a PPT

simulator S(y) having oracle access to V(y) and producing a simulated transcriptthat is statistically close to the one of the real interaction between P(y, w) and

V(y). A related notion is argument of knowledge, which, for three-move proto-cols (commitment-challenge-response), requires the existence of a PPT extractortaking as input a set of valid transcripts with respect to all possible values of the“challenge” to the same “commitment” and outputting w′ such that (y, w′) ∈ R.

The statistical zero-knowledge arguments of knowledge (ZKAoK) presentedin this work are Stern-like [57] protocols. In particular, they are Σ-protocolsin the generalized sense defined in [21,4] (where 3 valid transcripts are neededfor extraction, instead of just 2). Stern’s protocol was originally proposed inthe context of code-based cryptography, and was later adapted into the latticesetting by Kawachi et al. [22]. Subsequently, it was empowered by Ling et al. [33]

9

to handle the matrix-vector relations where the secret vectors are of small infinitynorm, and further developed to design various lattice-based schemes. Libert etal. [28] put forward an abstraction of Stern’s protocol to capture a wider rangeof lattice-based relations. Now let us recall it.

An Abstraction of Stern’s Protocol. Let integers q,K,L be positive suchthat L ≥ K and q ≥ 2, and VALID ⊂ {−1, 0, 1}L. Given a finite set S, asso-ciate every η ∈ S with a permutation Γη of L elements such that the followingconditions hold:

{w ∈ VALID ⇐⇒ Γη(w) ∈ VALID,

If w ∈ VALID and η is uniform in S, then Γη(w) is uniform in VALID.(1)

Our target is to construct a statistical ZKAoK for the abstract relation Rabstract

of the following form:

Rabstract ={

(M,u),w ∈ ZK×Lq × Z

Kq × VALID : M ·w = u mod q.

}

To obtain the desired ZKAoK protocol, one has to prove that w ∈ VALID

and w satisfies the linear equation M · w = u mod q. To prove w ∈ VALID

in a zero-knowledge manner, the prover chooses η$←− S and allows the verifier

to check Γη(w) ∈ VALID. According to the first condition in (1), the verifiershould be convinced that w is indeed from the set VALID. At the same time, theverifier cannot learn any extra information about w due to the second conditionin (1). Furthermore, to prove in ZK that the linear equation holds, the prover

first chooses rw$←− Z

Lq as a masking vector and then shows the verifier that the

equation M · (w + rw) = M · rw + u mod q holds.

In Figure 1, we describe in details the interaction between two PPT algo-rithms prover P and verifier V . The system utilizes a statistically hiding andcomputationally binding string commitment scheme COM (e.g., the RSIS-basedscheme from [22]).

Theorem 1 ([28]). Let COM be a statistically hiding and computationally bind-ing string commitment scheme. Then the interactive protocol depicted in Figure 1is a statistical ZKAoK with perfect completeness, soundness error 2/3, and com-munication cost O(L log q). Specifically:

– There exists a polynomial-time simulator that on input (M,u), with proba-bility 2/3 it outputs an accepted transcript that is within statistical distancefrom the one produced by an honest prover who knows the witness.

– There exists a polynomial-time algorithm that, takes as inputs (M,u) andthree accepting transcripts on (M,u), (CMT, 1,RSP1), (CMT, 2,RSP2), and(CMT, 3,RSP3), outputs w′ ∈ VALID such that M ·w′ = u mod q.

The details of the proof appeared in [28] and are omitted here.

10

1. Commitment: Prover chooses rw$←− Z

Lq , η

$←− S and randomness ρ1, ρ2, ρ3 for

COM. Then he sends CMT =(C1, C2, C3

)to the verifier, where

C1 = COM(η, M · rw mod q; ρ1), C2 = COM(Γη(rw); ρ2),

C3 = COM(Γη(w + rw mod q); ρ3).

2. Challenge: V sends back a challenge Ch$←− {1, 2, 3} to P .

3. Response: According to the choice of Ch, P sends back RSP computed in thefollowing way:

– Ch = 1: Let tw = Γη(w), tr = Γη(rw), and RSP = (tw, tr, ρ2, ρ3).

– Ch = 2: Let η2 = η, w2 = w + rw mod q, and RSP = (η2, w2, ρ1, ρ3).

– Ch = 3: Let η3 = η, w3 = rw , and RSP = (η3, w3, ρ1, ρ2).

Verification: When receiving RSP from P , V performs as follows:

– Ch = 1: Check that tw ∈ VALID, C2 = COM(tr; ρ2), C3 = COM(tw+tr mod q; ρ3).

– Ch = 2: Check that C1 = COM(η2, M·w2−u mod q; ρ1), C3 = COM(Γη2(w2); ρ3).

– Ch = 3: Check that C1 = COM(η3, M ·w3; ρ1), C2 = COM(Γη3(w3); ρ2).

In each case, V returns 1 if and only if all the conditions hold.

Fig. 1: Stern-like ZKAoK for the relation Rabstract.

2.5 The Refined Permuting Techniques by Ling et al.

We next recall the permuting techniques recently suggested by Ling et al. [36],which will be used throughout this paper.

Proving that z ∈ {−1, 0, 1}. Let b an integer. Denote the integer b′ ∈ {−1, 0, 1}with b′ = b mod 3 as [b]3. For any z ∈ {−1, 0, 1}, define vector enc3(z) in thefollowing manner:

enc3(z) =([z + 1]3, [z]3, [z − 1]3

)⊤ ∈ {−1, 0, 1}3.

Namely, enc3(−1) = (0,−1, 1)⊤, enc3(0) = (1, 0,−1)⊤ and enc3(1) = (−1, 1, 0)⊤.Let e ∈ {−1, 0, 1}, define a permutation πe associated to e as follows. It

transforms vector v = (v(−1), v(0), v(1))⊤ ∈ Z3 into vector

πe(v) = (v([−e−1]3), v([−e]3), v([−e+1]3))⊤.

It is then verifiable that, for any z, e ∈ {−1, 0, 1}, the equivalence belowholds.

v = enc3(z) ⇐⇒ πe(v) = enc3([z + e]3). (2)

In the context of Stern’s protocol, the above equivalence allows us to proveknowledge of z ∈ {−1, 0, 1}, where z may have other constrains. Towards it, we

11

simply extend z to enc3(z), sample a uniform e ∈ {−1, 0, 1}, and then show theverifier πe(enc3(z)) is of the form enc3([z + e]3). Due to the equivalence in (2),the verifier should be convinced that z is in the set {−1, 0, 1}. Furthermore,the “one time pad” e fully hides the value of z. More importantly, the abovetechnique is extendable so that we can employ the same e for other positionswhere z appears. An example of that is to prove that z is involved in a productt · z, which we now recall.

Proving that y = t ·z. Let b ∈ {0, 1}, denote the bit 1−b as b and the additionoperation modulo 2 as ⊕.

For any t ∈ {0, 1} and z ∈ {−1, 0, 1}, let vector ext(t, z) ∈ {−1, 0, 1}6 be ofthe following form:

ext(t, z) =(t · [z+1]3, t · [z+1]3, t · [z]3, t · [z]3, t · [z−1]3, t · [z−1]3

)⊤.

Let b ∈ {0, 1} and e ∈ {−1, 0, 1}, define the permutation ψb,e(·) associated tob, e as follows. It transforms vector

v =(v(0,−1), v(1,−1), v(0,0), v(1,0), v(0,1), v(1,1)

)⊤ ∈ Z6

into vector ψb,e(v) of form

ψb,e(v) =(v(b,[−e−1]3), v(b,[−e−1]3), v(b,[−e]3), v(b,[−e]3), v(b,[−e+1]3), v(b,[−e+1]3)

)⊤.

It can be easily checked that for any t, b ∈ {0, 1} and any z, e ∈ {−1, 0, 1},the following equivalence is satisfied.

v = ext(t, z) ⇐⇒ ψb,e(v) = ext( t⊕ b, [z + e]3 ). (3)

The same as in the case z ∈ {−1, 0, 1}, the above equivalence (3) allows usto prove knowledge of y, where y is a product of secret integers t ∈ {0, 1} andz ∈ {−1, 0, 1}.

Next, we recall the generalizations of the above two core techniques to proveknowledge of vector z ∈ {−1, 0, 1}m as well as vector of the form (5).

Proving that z ∈ {−1, 0, 1}m. We first generalize the notion [b]3 to [b]3 forany b ∈ Z

m, where [b]3 is the vector b′ such that b′ = b mod 3 coordinate-wise.For z = (z1, . . . , zm)⊤ ∈ {−1, 0, 1}m, define the following extension:

enc(z) =(

enc3(z1) ‖ · · · ‖ enc3(zm))∈ {−1, 0, 1}3m.

Let e = (e1, . . . , em)⊤ ∈ {−1, 0, 1}m, define the permutation Πe associatedto e as follows. It maps vector v = (v1‖ . . . ‖vm) ∈ Z

3m consisting of m blocksof size 3 to vector as follows:

Πe(v) =(πe1

(v1)‖ . . . ‖πem(vm)

).

Following (2), for any z, e ∈ {−1, 0, 1}m, we obtain the following equivalence:

v = enc(z) ⇐⇒ Πe(v) = enc([z + e]3). (4)

12

Handling a “mixing” vector. We now deal with a “mixing” vector of thefollowing form:

y =(

z ‖ t0 · z ‖ . . . ‖ tcd−1 · z), (5)

where z ∈ {−1, 0, 1}m and t = (t0, t1, . . . , tcd−1)⊤ ∈ {0, 1}cd for m, cd ∈ Z+.

First, we define the extension vector mix(t, z) ∈ {−1, 0, 1}3m+6mcd of vectory in the following manner:(

enc(z) ‖ ext(t0, z1) ‖ . . . ‖ ext(t0, zm) ‖ . . . ‖ ext(tcd−1, z1) ‖ . . . ‖ ext(tcd−1, zm)).

Next, for b = (b0, · · · , bcd−1)⊤ ∈ {0, 1}cd and e = (e1, . . . , em)⊤ ∈ {−1, 0, 1}m,we define the permutation Ψb,e that works as follows. It maps vector v ∈Z

3m+6mcd of form

v =(v−1 ‖ v0,1 ‖ . . . ‖ v0,m ‖ . . . ‖ vcd−1,1 ‖ . . . ‖ vcd−1,m

),

where block v−1 has length 3m and each block vi,j has length 6, to vector Ψb,e(v)of form

Ψb,e(v) =(Πe(v−1)‖ ψb0,e1

(v0,1)‖ . . . ‖ψb0,em(v0,m)‖ . . . ‖

ψbcd−1,e1(vcd−1,1)‖ . . . ‖ψbcd−1,em

(vcd−1,m)).

Then, for all t,b ∈ {0, 1}cd and z, e ∈ {−1, 0, 1}m, one can check the followingequivalence holds:

v = mix(t, z) ⇐⇒ Ψb,e(v) = mix( t⊕ b, [z + e]3 ). (6)

2.6 Zero-Knowledge Protocol for the Ducas-Micciancio Signature

We now recall the statistical zero-knowledge argument of knowledge of a validmessage-signature pair for the Ducas-Micciancio signature, as presented in [36].Let n, q,m, k,m,ms, ℓ, β, d, c0, . . . , cd as specified in Section 2.3. The protocol issummarized below.

– The public input consists of

A,F0 ∈ R1×mq ; A[0], . . . ,A[d] ∈ R1×k

q ; F ∈ R1×ℓq ; F1 ∈ R1×ms

q ; u ∈ Rq.

– The secret input of the prover consists of message m ∈ Rmsq and signature

(t, r,v), where{t = (t0, . . . , tc1−1, . . . , tcd−1

, . . . , tcd−1)⊤ ∈ {0, 1}cd;

r ∈ Rm; v = (s‖z) ∈ Rm+k; s ∈ Rm; z ∈ Rk;

– The goal of the prover is to prove in ZK that ‖r‖∞ ≤ β, ‖v‖∞ ≤ β, and thatthe following equation

A · s + A[0] · z +

d∑

i=1

A[i] · t[i] · z = F · y + u (7)

13

holds for{t[i] =

∑ci−1j=ci−1

tj ·Xj}d

i=1and

y = rdec (F0 · r + F1 · rdec(m)) ∈ Rℓ. (8)

The next step is to transform the secret input into a vector w that belongsto a specific set VALID and reduce the considered statements (7) and (8) intoM·w = u mod q for some public input M,u, in the form of the abstract protocolfrom Section 2.4. To realize this, we employ the following two steps.

Decomposing-Unifying. To begin with, we utilize the notations rot and τfrom Section 2.1 and the decomposition techniques from Section 2.2.

Let s⋆ = τ(rdecβ(s)) ∈ {−1, 0, 1}nmδβ , z⋆ = τ(rdecβ(z)) ∈ {−1, 0, 1}nkδβ andr⋆ = τ(rdecβ(r)) ∈ {−1, 0, 1}nmδβ . Then, one can check that, equation (7) isequivalent to,

[rot(A[0]) ·Hk,β ] · z⋆ +

d∑

i=1

ci−1∑

j=ci−1

[rot(A[i] ·Xj) ·Hk,β ] · tj · z⋆ +

[rot(A) ·Hm,β] · s⋆ − [rot(F)] · τ(y) = τ(u) mod q,

and equation (8) is equivalent to

[rot(F0) ·Hm,β] · r⋆ + [rot(F1)] · τ(rdec(m))− [H] · τ(y) = 0 mod q.

Rearrange the two derived equations using some basic algebra, we are ableto obtain the following unifying equation:

M0 ·w0 = u mod q,

where u = (τ(u) ‖ 0) ∈ Z2nq and M0 are built from public input, and w0 =

(w1 ‖ w2) is built from secret input with w1 ∈ {−1, 0, 1}(kδβ+cdkδβ )n and w2 ∈{−1, 0, 1}2nmδβ+nℓ+nms and

{w1 = (z⋆ ‖ t0 · z⋆ ‖ . . . ‖ tcd−1 · z⋆);

w2 = (s⋆ ‖ r⋆ ‖ τ(y) ‖ τ(rdec(m))).

Until now, we have transformed the secret input into a vector w0 whose co-efficients are in the set {−1, 0, 1} and reduced statements (7) and (8) intoM0 ·w0 = u mod q, where M0,u are public.Extending-Permuting. Now the target is to transform the secret vector w0 toa vector w such that the conditions in (1) hold. Towards this goal, the extensionand permutation techniques described in Section 2.5 is employed.

We first extend w0 = (w1‖w2) as follows.

w1 7→ w′1 = mix

(t, z⋆

)∈ {−1, 0, 1}L1; (9)

w2 7→ w′2 = enc(w2) ∈ {−1, 0, 1}L2.

14

Then form a new vector w = (w′1‖w′

2) ∈ {−1, 0, 1}L, where L = L1 + L2 and

L1 = (kδβ + 2cdkδβ)3n; L2 = 6nmδβ + 3nℓ+ 3nms.

According to the extension, adding suitable zero-columns to M0 to obtain a newmatrix M ∈ Z

2n×Lq such that M ·w = M0 ·w0.

We are ready to define the set VALID that consists of our transformed secretvector w, the set S, and the associated permutations {Γη : η ∈ S}, such thatthe conditions in (1) are all satisfied.

Let VALID be the set of all vectors v′ = (v′1‖v′

2) ∈ {−1, 0, 1}L such that thefollowing conditions hold:

– v′1 = mix(t, z⋆) for some vectors t ∈ {0, 1}cd and z⋆ ∈ {−1, 0, 1}nkδβ .

– v′2 = enc(w2) for vector w2 ∈ {−1, 0, 1}L2/3.

It is easy to see that w belongs to this special set VALID.

Now, define S = {0, 1}cd × {−1, 0, 1}nkδβ × {−1, 0, 1}L2/3. For each elementη = (b, e, f) ∈ S, define an associated permutation Γη as follows. It permutesvector v⋆ = (v⋆

1‖v⋆2) ∈ Z

L, where v⋆1 ∈ Z

L1 and v⋆2 ∈ Z

L2 , into vector of thefollowing form:

Γη(v⋆) =(Ψb,e(v⋆

1) ‖ Πf (v⋆2)

).

It then follows from the equivalences in (4) and (6) that VALID, S, and Γη

satisfy the conditions in (1). Therefore, we have obtained an instance of theabstract protocol from Section 2.4. Up to this point, running the protocol ofFigure 1 results in the desired statistical ZKAoK protocol. The protocol hasperfect completeness, soundness error 2/3, and communication cost O(L · log q),

which is of order O(n · log4 n) = O(λ).

2.7 Key-Oblivious Encryption

We next recall the definitions of key-oblivious encryption (KOE), as introducedin [25]. A KOE scheme consists of the following polynomial-time algorithms.

Setup(λ): On input the security parameter λ, it outputs public parameter pp.pp is implicit for all algorithms below if not explicitly mentioned.

KeyGen(pp): On input pp, it generates a key pair (pk, sk).

KeyRand(pk): On input the public key pk, it outputs a new public key pk′ forthe same secret key.

Enc(pk,m): On inputs pk and a message m, it outputs a ciphertext ct on thismessage.

Dec(sk, ct): On inputs sk and ct, it outputs the decrypted message m′.

Correctness. The above scheme must satisfy the following correctness re-quirement: For all λ, all pp ← Setup(λ), all (pk, sk) ← KeyGen(pp), all pk′ ←KeyRand(pk), all m,

Dec(sk,Enc(pk′,m)) = m.

15

Security. The security requirements of a KOE scheme consist of key randomiz-ability (KR), plaintext indistinguishability under key randomization (INDr), andkey privacy under key randomization (KPr).Key Randomizability. KR requires that any adversary cannot determine howpublic keys are related to each other without possession of secret keys. Detailsare modelled in the experiment ExpKR

KOE,A(λ) in Fig 2.

Define the advantage AdvKRKOE,A(λ) of adversary A against KR of the KOE

scheme as |2Pr[ExpKRKOE,A(λ) = 1] − 1|. A KOE scheme is key randomizable if

the advantage of any PPT adversary A is negligible.

Plaintext indistinguishability under key randomization. INDr requiresthat any adversary cannot distinguish ciphertext of one message from ciphertextof another one even though the adversary is allowed to choose the two mes-sages and to randomize the public key. Details are modelled in the experimentExpINDr

KOE,A(λ) in Fig 2.

Define the advantage AdvINDrKOE,A(λ) of adversary A against INDr of the KOE

scheme as |2Pr[ExpINDrKOE,A(λ) = 1] − 1|. A KOE scheme is plaintext indistin-

guishable under key randomization if the advantage of any PPT adversary A isnegligible.

ExpKRKOE,A(λ)

b← {0, 1}, pp← Setup(λ), (pk, sk)← KeyGen(pp).pk0 ← KeyRand(pk), (pk1, sk1)← KeyGen(pp).b′ ← A(pk, pkb).Return (b′ = b).ExpINDr

KOE,A(λ)

b← {0, 1}, pp← Setup(λ), (pk, sk)← KeyGen(pp).(pk′, r,m0,m1, st)← A(pk).If pk′ 6= KeyRand(pk, r), then return ⊥; else ct← Enc(pk′,mb).b′ ← A(ct, st).Return (b′ = b).ExpKPr

KOE,A(λ)

b← {0, 1}, pp← Setup(λ); (pk0, sk0)← KeyGen(pp), (pk1, sk1)← KeyGen(pp).(m, pk′

0, r0, pk′

1, r1, st)← A(pk0, pk1).If ∃ c such that pk′

c 6= KeyRand(pkc, rc), then return ⊥; else ct← Enc(pk′

b,m).b′ ← A(ct, st).Return (b′ = b).

Fig. 2: Experiment to define security requirements of a KOE scheme.

Key privacy under key randomization. KPr requires that any adversarycannot distinguish ciphertext of a message under one public key from ciphertextof the same message under another public key even though the adversary isallowed to choose the message and to randomize the two public keys. Details aremodelled in the experiment ExpKPr

KOE,A(λ) in Fig 2.

16

Define the advantage AdvKPrKOE,A(λ) of adversary A against INDr of the KOE

scheme as |2Pr[ExpKPrKOE,A(λ) = 1]− 1|. A KOE scheme is key private under key

randomization if the advantage of any PPT adversary A is negligible.

2.8 Accountable Tracing Signatures

We then recall the definition of accountable tracing signature (ATS), as intro-duced in [25]. An ATS scheme involves a group manager (GM) who also serves asthe opening authority (OA), a set of users, who are potential group members. Asa standard group signature scheme (e.g. [2,3]), GM is able to identify the signerof a given signature. However, if GM is able to do so, there is an additionalaccounting mechanism that later reveals which user he chose to trace (traceableuser). Specifically, if a user suspects that he was traceable by group managerwho had claimed non-traceability of this user, then the user can resort to thismechanism to check whether group manager is honest/accountable or not. AnATS scheme consists of the following polynomial-time algorithms.

Setup(λ): On input the security parameter λ, it outputs public parameter pp.pp is implicit for all algorithms below if not explicitly mentioned.

GKeyGen(pp): This algorithm is run by GM. On input pp, GM generates grouppublic key gpk and group secret keys: issue key ik and opening key ok.

UKeyGen(pp): Given input pp, it outputs a user key pair (upk, usk).Enroll(gpk, ik, upk, tr): This algorithm is run by GM. Upon receiving a user public

key upk from a user, GM determines the value of the bit tr ∈ {0, 1}, indicatingwhether the user is traceable (tr = 1) or not. He then produces a certificatecert for this user according to his choice of tr. GM then registers this user tothe group and stores the registration information and the witness wescrw tothe bit tr, and sends cert to the user.

Sign(gpk, cert, usk,M): Given the inputs gpk, cert, usk and message M , this al-gorithm outputs a signature Σ on this message M .

Verify(gpk,M,Σ): Given the inputs gpk and the message-signature pair (M,Σ),this algorithm outputs 1/0 indicating whether the signature is valid or not.

Open(gpk, ok,M,Σ): Given the inputs gpk, ok and the pair (M,Σ), this algo-rithm returns a user public key upk′ and a proof Πopen demonstrating thatuser upk′ indeed generated the signature Σ. In case of upk′ = ⊥, Πopen = ⊥.

Judge(gpk,M,Σ, upk′, Πopen): Given all the inputs, this algorithm outputs 1/0indicating whether it accepts the opening result or not.

Account(gpk, cert, wescrw, tr): Given all the inputs, this algorithm returns 1 con-firming the choice of tr and 0 otherwise.

Correctness. The above ATS scheme requires that: for any honestly generatedsignature, the Verify algorithm always outputs 1. Furthermore, if the user istraceable, then Account algorithm outputs 1 when tr = 1, and the Open algorithmcan identify the signer and generate a proof Πopen that will be accepted by the

17

Judge algorithm. On the other hand, if the user is non-traceable, then the Account

algorithm outputs 1 when tr = 0, and the Open algorithm outputs ⊥.

Remark 1. There is a minor difference between the syntax we describe here andthat presented by Kohlweiss and Miers [25]. Specifically, we omit the time epochwhen the user joins the group, since we do not consider forward and backwardtracing scenarios as in [25].

Security. The security requirements of an ATS scheme consist of anonymityunder tracing (AuT), traceability (Trace), and non-frameability (NF), anonymitywith accountability (AwA) and trace-obliviousness (TO).Anonymity under tracing. AuT is the standard anonymity requirement ofgroup signatures (e.g. [2,3]). It guarantees that even when being traced, usersare anonymous to the adversary who does not hold the opening key. Details aremodelled in the experiment in Figure 3.

ExpAuT−bATS,A (λ)

pp← Setup(λ).(gpk, ik, ok)← GKeyGen(pp).b′ ← ACh,Open(gpk, ik)Return b′.Oracle Open(M, Σ)

If Σ ∈ Q, then return ⊥,Else return(upk, Π)← Open(ok, M, Σ).

Oracle Ch(cert0, cert1, usk0, usk1, M, wescrw0 , wescrw

1 , 1)

Σ0 ← Sign(gpk, cert0, usk0, M).Σ1 ← Sign(gpk, cert1, usk1, M).If (Σ0 6= ⊥ ∧Σ1 6= ⊥ ∧

Account(gpk, cert0, wescrw0 , 1) ∧

Account(gpk, cert1, wescrw1 , 1))

Q← Q ∪ {Σb}return Σb,

Else return ⊥.

Fig. 3: Experiment to define anonymity under tracing

Define the advantage AdvAuTATS,A(λ) of adversary A against anonymity under

tracing of the ATS scheme as |Pr[ExpAuT−1ATS,A (λ) = 1]−Pr[ExpAuT−0

ATS,A (λ) = 1]|. AnATS scheme is anonymous under tracing if the advantage of any PPT adversaryA is negligible.

Traceability. Traceability requires that every valid signature will trace tosomeone as long as the adversary does not hold both the certificate and usersecret key of a user who is not traceable (non-traceable user). As pointed out byKohlweiss and Miers [25], this is slightly different from the standard traceabilitygame (e.g. [2,3]), where all users are being traced by GM. In an ATS scheme, whenadversary queries certificate of a user of his choice, challenger will always generatea certificate according to tr = 1. In other words, the user of the adversary’schoice is a traceable user. This ensures that the adversary does not hold bothcertificate and user secret key for a non-traceable user. Details are modelled inthe experiment in Figure 4.

Define the advantage AdvTraceATS,A(λ) of adversary A against traceability of

the ATS scheme as Pr[ExpTraceATS,A(λ) = 1]. An ATS scheme is traceable if the

advantage of any PPT adversary A is negligible.

18

ExpTraceATS,A(λ)

pp← Setup(λ).(gpk, ik, ok)← GKeyGen(pp).(M, Σ)← AUKG,Enroll,Sign,Open(gpk).Return 0 if (M, Σ) ∈ Q or

Verify(gpk, M, Σ) = 0.Else (upk, Π)← Open(ok, m, Σ).Return 1 if upk = ⊥ or

Judge(gpk, M, Σ, upk, Π) = 0.Else return 0.

Oracle UKG(pp)

(upk, usk)← UKeyGen(pp).S[upk] = usk.Return upk.

Oracle Enroll(upk, tr)

Let tr′ = (upk /∈ dom S) ∈ {0, 1}.(cert, wescrw)← Enroll(ik, upk, tr ∨ tr′).Return cert.Oracle Sign(cert, M)

usk = S[cert.upk].If (usk = ⊥), return ⊥.Else Σ ← Sign(gpk, cert, usk, M).

Q = Q ∪ {(m, Σ)}.return Σ.

Oracle Open(M, Σ)

(upk, Π)← Open(ok, M, Σ)Return (upk, Π).

Fig. 4: Experiment to define traceability.

Non-frameability. It requires that the adversary cannot sign messages onbehalf of honest users, even though the adversary can corrupt GM and all otherusers. This ensures that signatures signed by a traceable user (traceable signa-tures) are non-repudiated. Details are modelled in the experiment in Figure 5.

ExpNFATS,A(λ)

pp← Setup(λ).(gpk, st)← A(pp).If gpk.pp 6= pp, return ⊥.(M, Σ, upk, Π)← AUKG,Sign(st).Return 1 if ((M, Σ) /∈ Q ∧

Verify(gpk, M, Σ) = 1 ∧upk ∈ dom(S) ∧Judge(gpk, M, Σ, upk, Π) = 1).

Oracle UKG(pp)

(upk, usk)← UKeyGen(pp),S[upk] = usk.Return upk.Oracle Sign(cert, M)

usk = S[cert.upk].If (usk = ⊥) return ⊥.Σ ← Sign(gpk, cert, usk, M).Q = Q ∪ {(M, Σ)}. Return Σ.

Fig. 5: Experiment to define non-frameability.

Define the advantage AdvNFATS,A(λ) of adversary A against non-frameability

of the ATS scheme as Pr[ExpNFATS,A(λ) = 1]. An ATS scheme is non-frameable if

the advantage of any PPT adversary A is negligible.Anonymity with accountability. AwA requires that a user is anonymouseven from a corrupted group manager that has full control over the system aslong as this user is non-traceable. In other words, the certificate is generatedaccording to tr = 0. Details are modelled in the experiment in Figure 6.

Define the advantage AdvAwAATS,A(λ) of A against anonymity with account-

ability of the ATS scheme as |Pr[ExpAwA−1ATS,A (λ) = 1] − Pr[ExpAwA−0

ATS,A (λ) = 1]|.

19

ExpAwA−bATS,A (λ)

pp← Setup(λ).(gpk, st)← A(pp).If gpk.pp 6= pp, return ⊥.b′ ← ACh(st)Return b′.

Oracle Ch(cert0, cert1, usk0, usk1, M, wescrw0 , wescrw

1 , 0)

Σ0 ← Sign(gpk, cert0, usk0, M).Σ1 ← Sign(gpk, cert1, usk1, M).If (Σ0 6= ⊥∧Σ1 6= ⊥ ∧

Account(gpk, cert0, wescrw0 , 0) ∧

Account(gpk, cert1, wescrw1 , 0)),

return Σb.Else return ⊥.

Fig. 6: Experiment to define anonymity with accountability.

An ATS scheme is anonymous with accountability if the advantage of any PPTadversary A is negligible.

Trace-obliviousness. Trace-obliviousness requires that each user cannot de-termine whether they are being traced or not. Details are modelled in the ex-periment in Figure 7.

ExpTO−bATS,A

(λ)

pp← Setup(λ).(gpk, ik, ok)← GKeyGen(pp).b′ ← ACh,Enroll,Open(gpk)Return b′.

Oracle Enroll(upk, tr)

(cert, wescrw)← Enroll(ik, upk, tr).Return cert.Oracle Ch(upk)

(cert, wescrw)← Enroll(ik, upk, b).U = U ∪ {upk}, Return cert.Oracle Open(M, Σ)

(upk, Π)← Open(ok, M, Σ)If upk ∈ U , then return ⊥; Else return (upk, Π).

Fig. 7: Experiment to define trace-obliviousness.

Define the advantage AdvTOATS,A(λ) of adversaryA against trace-obliviousness

of the ATS scheme as |Pr[ExpTO−1ATS,A(λ) = 1] − Pr[ExpTO−0

ATS,A(λ) = 1]|. An ATS

scheme is trace-oblivious if the advantage of any PPT adversary A is negligible.

3 Key-Oblivious Encryption from Lattices

In [25], Kohlweiss and Miers constructed a KOE scheme based on ElGamal cryp-tosystem [18]. To adapt their blueprint into the lattice setting, we would needa key-private homomorphic encryption scheme whose public keys and cipher-texts should have the same algebraic form (e.g., each of them is a pair of ringelements). We observe that, the LPR RLWE-based encryption scheme, under ap-propriate setting of parameters, does satisfy these conditions. We thus obtainan instantiation of KOE which will then serve as a building block for our ATS

construction in Section 5.

20

3.1 Description of Our KOE Scheme

Our KOE scheme works as follows.

Setup(λ): Given the security parameter λ, let n = O(λ) be a power of 2 and

q = O(n4). Also let ℓ = ⌊log q−12 ⌋+ 1. Define the rings R = Z[X ]/(Xn + 1)

and Rq = R/qR. Let the integer bound B be of order O(√n) and χ be a

B-bounded distribution over the ring R. This algorithm then outputs publicparameter pp = {n, q, ℓ, R,Rq, B, χ}.

KeyGen(pp): Given the input pp, this algorithm samples s ← χ, e ← χℓ and

a$←− Rℓ

q. Set pk = (a,b) = (a,a ·s+e) ∈ Rℓq×Rℓ

q and sk = s. It then returns(pk, sk).

KeyRand(pk): Given the public key pk = (a,b), it samples g ← χ, e1 ← χℓ ande2 ← χℓ. Compute

(a′,b′) = (a · g + e1, b · g + e2) ∈ Rℓq ×Rℓ

q.

This algorithm then outputs randomized public key as pk′ = (a′,b′).

Enc(pk′, p): Given the public key pk′ = (a′,b′) and a message p ∈ Rq, it samplesg′ ∈ χ, e′

1 ∈ χℓ and e′2 ∈ χℓ. Compute

(c1, c2) = (a′ · g′ + e′1, b′ · g′ + e′

2 + ⌊q/4⌋ · rdec(p)) ∈ Rℓq ×Rℓ

q.

This algorithm returns ciphertext as ct = (c1, c2).

Dec(sk, ct): Given sk = s and ct = (c1, c2), the algorithm proceeds as follows.1. It computes

p′′ =c2 − c1 · s⌊q/4⌋ .

2. For each coefficient of p′′,– if it is closer to 0 than to −1 and 1, then round it to 0;

– if it is closer to −1 than to 0 and 1, then round it to −1;

– if it is closer to 1 than to 0 and −1, then round it to 1.3. Denote the rounded p′′ as p′ ∈ Rℓ

q with coefficients in {−1, 0, 1}.4. Let p′ ∈ Rq such that τ(p′) = H · τ(p′). Here, H ∈ Z

n×nℓq is the decom-

position matrix for elements of Rq (see Appendix 2.2).

3.2 Analysis of Our KOE Scheme

Correctness. Note that

c2 − c1 · s = b′ · g′ + e′2 + ⌊q/4⌋ · rdec(p)− (a′ · g′ + e′

1) · s= e · g · g′ + e2 · g′ − e1 · s · g′ + e′

2 − e′1 · s+ ⌊q/4⌋ · rdec(p)

where s, g, g′, e, e1, e2, e′1, e

′2 are B-bounded. Hence we have:

‖e ·g ·g′ +e2 ·g′−e1 ·s ·g′ +e′2−e′

1 ·s‖∞ ≤ 3n2 ·B3 = O(n3.5) ≤⌈ q

10

⌉= O(n4).

21

With overwhelming probability, the rounding procedure described in the Dec

algorithm recovers rdec(p) and hence outputs p. Therefore, our KOE scheme iscorrect.

Security. The security of our KOE scheme is stated in the following theorem.

Theorem 2. Under the RLWE assumption, the described key-oblivious encryp-tion scheme satisfies: (i) key randomizability; (ii) plaintext indistinguishabilityunder key randomization; and (iii) key privacy under key randomization.

The proof of Theorem 2 is established by Lemma 2-4.

Lemma 2. The key-oblivious encryption scheme described in Section 3.1 is keyrandomizable defined in Section 2.7 under RLWE assumption.

Proof. Notice that the samples chosen according to As,χ for some s ← χ areindistinguishable from random under the RLWE assumption. Therefore, the hon-estly generated public key pk = (a,b) ∈ Rℓ

q ×Rℓq is indistinguishable from truly

random pair pk = (a, b) ∈ Rℓq ×Rℓ

q. Hence, we may replace pk with pk and thismodification is negligible to the adversary.

Let pk0 = (a · g + e1, b · g + e2) and pk1 = (a′,a′ · s′ + e′), where pk1 is

independent of pk. When b = 0, adversary is given (a, b, a·g+e1, b·g+e2), which

are 2ℓ samples chosen according to Ag,χ. Therefore, (pk, pk0) is indistinguishablefrom 2ℓ samples chosen according to U(Rq×Rq). When b = 1, adversary is given

(a, b,a′,a′ · s′ + e′). Since pk1 is independent of pk, so we can replace pk1 with

a truly random pair. Hence, (pk, pk1) is also indistinguishable from 2ℓ sampleschosen according to U(Rq×Rq). Therefore, the adversary cannot distinguish thecase b = 0 from the case b = 1.

It then follows that the advantage of any PPT adversary in the experimentExpKR

KOE,A(λ) is negligible and hence our KOE scheme is key randomizable.

Lemma 3. The key-oblivious encryption scheme described in Section 3.1 isplaintext indistinguishable under key randomization defined in Section 2.7 underRLWE assumption.

Proof. Let A be any PPT adversary attacking the plaintext indistinguishabilityunder key randomization with advantage ǫ, we will show ǫ = negl(λ) assum-ing the hardness of the RLWE problem. Specifically, we construct a sequenceof indistinguishable games G0, G1, G2, G3, G4, such that, AdvA(G0) = ǫ andAdvA(G4) = 0.

Game G0: This is the real experiment ExpINDrKOE,A(λ). The challenger generates

a public key pk = (a,b) = (a,a ·s+e) honestly, sends it to the adversary A,receives back a randomized key pair pk′ = (a·g+e1,b·g+e2), the randomnessused to generate pk′, and two messages p0, p1 ∈ Rq. The challenger firstchecks whether pk′ is generated from the randomness or not. If not, the

challenger returns ⊥. Otherwise, he samples b$←− {0, 1} and encrypts the

22

message pb to ciphertext (c1, c2) = (a′ ·g′ +e′1, b′ ·g′ +e′

2 +⌊q/4⌋ · rdec(pb))and sends (c1, c2) to the adversary A, who then outputs b′ ∈ {0, 1}. Thisgame outputs 1 if b′ = b or 0 otherwise. By assumption, A has advantage ǫin this game.

Game G1: In this game,we make a slight modification to the Game G0: the

public key pk is replaced with a truly random pair pk = (a, b). By theRLWEn,q,ℓ,χ assumption, the adversary cannot distinguish pk = (a,b) fromuniform. It then follows that G0 is indistinguishable from G1. We addition-

ally remark that pk′ obtained from randomizing pk is indistinguishable fromrandom by the same assumption.

Game G2: In this game, we modify G1 as follows: instead of generating (c1, c2)faithfully using the randomized public key pk′, we generate ciphertext (c1, c2)

as (a′ ·g′ +e′1, b′ ·g′ +e′

2 +⌊q/4⌋·rdec(pb)), where pk′ = (a′, b′) is uniformly

chosen over Rℓq×Rℓ

q. Since pk′ obtained from randomizing pk is indistinguish-able from random, this modification is indistinguishable to adversary A.

Game G3: In this game, we generate (c1, c2) as (z1, z2 +⌊q/4⌋·rdec(pb)), where(z1, z2) ∈ Rℓ

q × Rℓq are uniformly random. The assumed hardness of the

RLWEn,q,ℓ,χ problem implies that G2 and G3 are computationally indistin-guishable.

Game G4: In the game, we make a conceptual modification to G3. Namely, wesample uniformly random z′

1 ∈ Rℓq and z′

2 ∈ Rℓq and let (c1, c2) = (z′

1, z′2). It

is clear that G3 and G4 are statistically indistinguishable. Moreover, sinceG4 is no longer dependent on the challenger’s bit b, the advantage of A inthis game is 0.

It follows from the above construction that the advantage ǫ of the adversary Ais negligible. This concludes the proof.

Lemma 4. The key-oblivious encryption scheme described in Section 3.1 is keyprivate under key randomization defined in Section 2.7 under RLWEn,q,χ as-sumption.

Proof. The proof of Lemma 4 is similar to that of Lemma 3, we briefly describeit here. As in Lemma 3, we construct a sequence of indistinguishable gamesG0, G1, G2, G3, such that, AdvA(G0) = AdvKPr

KOE,A(λ) and AdvA(G3) = 0.

Game G0 is the experiment ExpKPrKOE,A(λ), Game G1 modifies Game G0 by

replacing public key pk0 with truly random pair pk0 while Game G2 modifiesGame G1 by replacing public key pk1 with another independent and random

pair pk1. By the hardness of the RLWEn,q,ℓ,χ problem, these two modificationsare indistinguishable to any PPT adversary. In Game G3, we further modify

Game G2 by generating the ciphertext (c1, c2) using pk′ chosen uniformly overRℓ

q ×Rℓq as in Lemma 3. By the same argument, this change is negligible to any

PPT adversary. Furthermore, since G3 is no longer dependent on the challenger’sbit b, the advantage of adversary in this game is 0. This ends the brief description.

23

4 Handling Quadratically Hidden RLWE Relations

In Section 4.1, we extend the refined permuting technique recalled in Section 2.5to prove that a secret integer y is multiplication of two secret integers a ∈{−1, 0, 1} and g ∈ {−1, 0, 1}. We then describe our zero-knowledge protocol forhandling quadratic relations in the RLWE setting in Section 4.2. Specifically, wedemonstrate how to prove in zero-knowledge that a give vector c is a correctRLWE evaluation, i.e., c = a · g + e, where the hidden vectors a, e and elementg may satisfy additional conditions. The protocol is developed based on Libertet al.’s work [29] on quadratic relations in the general lattice setting.

4.1 Our Extended Permuting Technique

Proving that y = a · g. For any a, g ∈ {−1, 0, 1}, define vector mult3(a, g) ∈{−1, 0, 1}9 of the following form:

mult3(a, g) =([a+ 1]3 · [g + 1]3, [a]3 · [g + 1]3, [a− 1]3 · [g + 1]3, [a+ 1]3 · [g]3,

[a]3 · [g]3, [a− 1]3 · [g]3 , [a+ 1]3 · [g − 1]3, [a]3 · [g − 1]3, [a− 1]3 · [g − 1]3)⊤.

Then for any b, e ∈ {−1, 0, 1}, we define the permutation φb,e(·) that acts in thefollowing way. It maps vector v of the following form

v =(v(−1,−1), v(0,−1), v(1,−1), v(−1,0), v(0,0), v(1,0), v(−1,1), v(0,1), v(1,1)

)⊤ ∈ Z9

into vector φb,e(v) of the following form

φb,e(v) =(v([−b−1]3,[−e−1]3), v([−b]3,[−e−1]3), v([−b+1]3,[−e−1]3),

v([−b−1]3,[−e]3), v([−b]3,[−e]3), v([−b+1]3,[−e]3),

v([−b−1]3,[−e+1]3), v([−b]3,[−e+1]3), v([−b+1]3,[−e+1]3))⊤.

Then for any a, b, g, e ∈ {−1, 0, 1}, one is able to check that the following equiv-alence is satisfied.

v = mult3(a, g)⇐⇒ φb,e(v) = mult3([a + b]3,[g + e]3). (10)

Note that the above equivalence in (10) is essential to prove knowledge of suchsecret integer y in the framework of Stern’s protocol. We first extend y to vectorv = mult3(a, g), sample uniform b ∈ {0, 1} and e ∈ {−1, 0, 1}, and then demon-strate to the verifier φb,e(v) = mult3( [a + b]3, [g + e]3 ). Due to the equivalencein (10), the verifier should be convinced of the well-formedness of y and no extrainformation is revealed to him. Furthermore, the technique is extendable so thatwe can use the same “one time pads” b and e at the places where a and g appear,respectively.

Now we generalize the above technique to prove knowledge of vector of thefollowing expansion form. We aim to obtain equivalence similar to (10), whichis useful in Stern’s framework.

24

Handling an expansion vector. We now tackle an expansion vector y =expd(a,g) of the form y = (y0‖ . . . ‖yn−1) ∈ {−1, 0, 1}n2ℓδB , where yi is of thefollowing form

yi = (a1 · gi,1, . . . , a1 · gi,δB, . . . , anℓ · gi,1 , . . . , anℓ · gi,δB

),

g ∈ {−1, 0, 1}nδB is of the form

g = (g0,1, g0,2, . . . , g0,δB, . . . , gn−1,1, gn−1,2, . . . , gn−1,δB

)⊤,

and a = (a1, . . . , anℓ)⊤ ∈ {−1, 0, 1}nℓ for some positive integers n, ℓ, δB.

Denote y = (ai · gj,k)i∈[nℓ],j∈[0,n−1],k∈[δB ], we then define an extension ofthe expansion vector y as mult(a,g) = (mult3(ai, gj,k))i∈[nℓ],j∈[0,n−1],k∈[δB ] ∈{−1, 0, 1}9n2ℓδB .

For e = (e0,1, e0,2, . . . , e0,δB, . . . , en−1,1, en−1,2, . . . , en−1,δB

)⊤ ∈ {−1, 0, 1}nδB

and b = (b1, . . . , bnℓ)⊤ ∈ {−1, 0, 1}nℓ, we define the permutation Φb,e(·) that be-

haves as follows. It maps vector v ∈ Z9n2ℓδB of the following form:

(v1,0,1‖ · · · ‖v1,0,δB

‖ · · · ‖vnℓ,0,1‖ · · · ‖vnℓ,0,δB‖

v1,1,1‖ · · · ‖v1,1,δB‖ · · · ‖vnℓ,1,1‖ · · · ‖vnℓ,1,δB

‖· · · ·v1,n−1,1‖ · · · ‖v1,n−1,δB

‖ · · · ‖vnℓ,n−1,1‖ · · · ‖vnℓ,n−1,δB

)

which consists of blocks of size 9, to vector Φb,e(v) of the following form:

(φb1,e0,1

(v1,0,1)‖ · · · ‖φb1,e0,δB(v1,0,δB

)‖ · · · ‖φbnℓ,e0,1

(vnℓ,0,1)‖ · · · ‖φbnℓ,e0,δB(vnℓ,0,δB

)‖φb1,e1,1

(v1,1,1)‖ · · · ‖φb1,e1,δB(v1,1,δB

)‖ · · · ‖φbnℓ,e1,1

(vnℓ,1,1)‖ · · · ‖φbnℓ,e1,δB(vnℓ,1,δB

)‖· · · ·φb1,en−1,1

(v1,n−1,1)‖ · · · ‖φb1,en−1,δB(v1,n−1,δB

)‖ · · · ‖φbnℓ,en−1,1

(vnℓ,n−1,1)‖ · · · ‖φbnℓ,en−1,δB(vnℓ,n−1,δB

))

For any a,b ∈ {−1, 0, 1}nℓ and any g, e ∈ {−1, 0, 1}nδB , it then follows from (10)that the following equivalence holds.

v = mult(a,g) ⇐⇒ Φb,e(v) = mult([a + b]3, [g + e]3). (11)

4.2 Proving the RLWE Relation with Hidden Vector

We are going to describe our statistical ZKAoK protocol for the RLWE relationwith hidden vector. Let q, ℓ, B be some integers and R,Rq be two rings, whichare specified as in Section 3.1. Our goal is to design a ZK argument system that

25

allows a prover P to convince a verifier V on input c ∈ Rℓq that P knows secrets

a ∈ Rℓq, g ∈ Rq and e ∈ Rℓ

q such that g and e are B-bounded and

c = a · g + e. (12)

Furthermore, this protocol should be extendable such that we are able to provethat the secrets a, g, e satisfy other relations.

As in Section 2.6, we aim to obtain an instance of the abstract protocol fromSection 2.4.

Decomposing-Unifying. To start with, we also employ the notations rot and τfrom Section 2.1 and the decomposition techniques from Section 2.2 to transformequation (12) into M0 ·w0 = u mod q, where M0,u are built from public input,and vector w0 is built from secret input and coefficients of which are in the set{−1, 0, 1}.Let a = (a1, a2, · · · , aℓ)

⊤, τ(g) = (g0, · · · , gn−1)⊤, a⋆i = τ(rdec(ai)) ∈ {−1, 0, 1}nℓ

∀ i ∈ [ℓ], g⋆ = τ(rdecB(g)) ∈ {−1, 0, 1}nδB . Let a⋆i = (ai,1, ai,2, · · · , ai,nℓ)

⊤

∀ i ∈ [ℓ], g⋆ = (g0,1, · · · g0,δB, · · · , gn−1,1, · · · , gn−1,δB

)⊤. We then have the fol-lowing:

τ(ai · g) = rot(ai) · τ(g) = [τ(ai)|τ(ai ·X)| . . . |τ(ai ·Xn−1)] · τ(g)

=

n−1∑

j=0

τ(ai ·Xj) · gj =

n−1∑

j=0

rot(Xj) · τ(ai) · gj =

n−1∑

j=0

rot(Xj) ·H · a⋆i · gj

=

n−1∑

j=0

rot(Xj) ·H · (ai,1 · gj, . . . , ai,nℓ · gj)⊤ mod q

Observe that, for each k ∈ [nℓ], we have

ai,k · gj = ai,k · (B1, . . . , BδB) · (gj,1, . . . , gj,δB

)⊤

= (B1, . . . , BδB) · (ai,k · gj,1, . . . , ai,k · gj,δB

)⊤

Denote yi,j ∈ {−1, 0, 1}nℓδB of the following form:

yi,j = (ai,1 · gj,1, . . . , ai,1 · gj,δB, . . . , ai,nℓ · gj,1, . . . , ai,nℓ · gj,δB

)⊤,

we then obtain

(ai,1 · gj, . . . , ai,nℓ · gj)⊤ = Hℓ,B · yi,j mod q.

Define Q0 ∈ Zn×n2ℓδBq of the following form:

Q0 = [rot(X0) ·H ·Hℓ,B| · · · |rot(Xn−1) ·H ·Hℓ,B].

Let yi = (yi,0‖ · · · ‖yi,n−1) = expd(a⋆i ,g

⋆) ∈ {−1, 0, 1}n2ℓδB , we then obtain:

τ(ai · g) = Q0 · yi mod q.

26

Let e⋆ = τ(rdecB(e)) ∈ {−1, 0, 1}nℓδB , Q =

Q0

Q0

. . .

Q0

∈ Z

nℓ×n2ℓ2δBq .

Now equation (12) is equivalent to

τ(c) = (τ(a1 · g), . . . , τ(aℓ · g))⊤ + τ(e)

= Q · (y1‖ · · · ‖yℓ) + Hℓ,B · e⋆ mod q

Rearrange the above equivalent form using some basic algebra, we are ableto obtain an unifying equation of the following form:

M0 ·w0 = u mod q,

where M0 is built from the public matrices Q and Hℓ,B, u is the vector τ(c),

while w0 = (y1‖ · · · ‖yℓ‖e⋆) ∈ {−1, 0, 1}n2ℓ2δB+nℓδB .

Extending-Permuting. In this second step, we aim to transform the secretw0 to a vector w such that it satisfies the requirements specified by the abstractprotocol from section 2.4. In the process, the techniques introduced in Section 2.5and 4.1 are utilized.

We first extend w0 = (y1‖ · · · ‖yℓ‖e⋆) as follows.

yi 7→ y′i = mult

(a⋆

i ,g⋆)∈ {−1, 0, 1}9n2ℓδB , i ∈ [ℓ];

e⋆ 7→ e′⋆ = enc(e⋆) ∈ {−1, 0, 1}L2.

Notice that for each i ∈ [ℓ], we have yi = expd(a⋆i ,g

⋆). We then form vectorw = (y′

1‖ · · · ‖y′ℓ‖e′⋆) ∈ {−1, 0, 1}L, where

L = L1 + L2; L1 = 9n2ℓ2δB; L2 = 3nℓδB.

According to the extension, we insert appropriate zero-columns to matrix M0,obtaining a new matrix M ∈ Z

nℓ×Lq such that the equation M · w = M0 · w0

holds.

We now define the set VALID that includes our secret vector w, the set S,and the associated permutations {Γη : η ∈ S}, such that the conditions in (1)are satisfied.Let VALID be the set of all vectors v′ = (v′

1‖ · · · ‖v′ℓ‖v′

ℓ+1) ∈ {−1, 0, 1}L suchthat the following conditions hold:

– There exist a⋆i ∈ {−1, 0, 1}nℓ for each i ∈ [ℓ] and g⋆ ∈ {−1, 0, 1}nδB such

that v′i = mult(a⋆

i ,g⋆).

– There exists e⋆ ∈ {−1, 0, 1}nℓδB such that v′ℓ+1 = enc(e⋆).

It is easy to see that the obtained vector w belongs to the set VALID.

Now let S = ({−1, 0, 1}nℓ)ℓ × {−1, 0, 1}nδB × {−1, 0, 1}nℓδB , and associateevery element η = (b1, . . . ,bℓ, f1, f2) ∈ S with permutation Γη that behaves as

27

follows. For a vector of the form v = (v1‖ · · · ‖vℓ‖vℓ+1) ∈ ZL, where vi ∈ Z

9n2ℓδB

for each i ∈ [ℓ] and vℓ+1 ∈ ZL2 , it transforms v into vector

Γη(v) =(Φb1,f1

(v1) ‖ · · · ‖ Φbℓ,f1(vℓ) ‖ Πf2

(vℓ+1)).

It then follows from the equivalences in (4) and (11) that VALID, S, and Γη fulfillthe requirements specified in (1). Therefore, we have transformed the consideredstatement to a case of the abstract protocol from Section 2.4. To obtain thedesired statistical ZKAoK protocol, it suffices for the prover and verifier to run theinteractive protocol described in Figure 1. The protocol has perfect completeness,soundness error 2/3 and communication cost O(L ·log q), which is of order O(n2 ·log4 n) = O(λ2).

5 Accountable Tracing Signatures from Lattices

In this section, we construct our ATS scheme based on: (i) The Ducas-Miccianciosignature scheme (as recalled in Section 2.3); (ii) The KOE scheme described inSection 3; and (iii) Stern-like zero-knowledge argument system that underlies ourATS construction, which is obtained by smoothly combining previous techniquesas recalled in Section 2.6 and ours as described in Section 4.2.

5.1 The Zero-Knowledge Argument System Underlying the ATSScheme

Before describing our accountable tracing signature scheme in Section 5.2, let usfirst present the statistical ZKAoK that will be invoked by the signer when gener-ating group signatures. Let n, q, k, ℓ,m,m,ms, d, c0, · · · , cd, β, B be parametersas specified in Section 5.2. The protocol is summarized as follows.

– The public input consists of

A,F0 ∈ R1×mq ; A[0], . . . ,A[d] ∈ R1×k

q ; F ∈ R1×ℓq ;

F1 ∈ R1×msq ;u ∈ Rq; B ∈ Rm

q ; c1,1, c1,2 ∈ Rℓq, c2,1, c2,2 ∈ Rℓ

q.

– The secret input of the prover consists of message m = (p‖a′1‖b′

1‖a′2‖b′

2)and the corresponding Ducas-Micciancio signature (t, r,v), a user secretkey x that corresponds to the public key p, and encryption randomnessg′

1, g′2, e

′1,1, e

′1,2, e

′2,1, e

′2,2, where

p ∈ Rq; a′1 ∈ Rℓ

q; b′1 ∈ Rℓ

q; a′2 ∈ Rℓ

q; b′2 ∈ Rℓ

q;

t = (t0, . . . , tc1−1, . . . , tcd−1, . . . , tcd−1)⊤ ∈ {0, 1}cd;

r ∈ Rm; v = (s‖z) ∈ Rm+k; s ∈ Rm; z ∈ Rk;

x ∈ Rm; g′1, g

′2 ∈ R; e′

1,1, e′1,2, e

′2,1, e

′2,2 ∈ Rℓ.

28

– The goal of the prover is to prove in ZK that ‖r‖∞ ≤ β, ‖v‖∞ ≤ β, ‖x‖∞ ≤1, ‖g′

i‖∞ ≤ B, ‖ei,1‖∞ ≤ B, ‖ei,2‖∞ ≤ B and that the following conditionshold:

At · v = F · rdec (F0 · r + F1 · rdec(m)) + u,

B · x = p,

for i ∈ {1, 2}, ci,1 = a′i · g′

i + e′i,1, ci,2 = b′

i · g′i + e′

i,2 + ⌊q/4⌋ · rdec(p). (13)

Since we already established the transformations for the Ducas-Micciancio sig-nature in Section 2.6, we now focus on the transformations for other relations.

Let a′i = (a′

i,1, . . . , a′i,ℓ)

⊤, b′i = (b′

i,1, . . . , b′i,ℓ)⊤ for each i ∈ {1, 2}. First, we

employ the decomposition techniques in Section 2.2 to the following secrets.

– Let x⋆ = τ(x) ∈ {−1, 0, 1}nm.– For each i ∈ {1, 2}, each j ∈ [ℓ], compute a⋆

i,j = τ(rdec(a′i,j)) ∈ {−1, 0, 1}nℓ,

b⋆i,j = τ(rdec(b′

i,j)) ∈ {−1, 0, 1}nℓ.

– For i ∈ {1, 2}, compute g⋆i = τ(rdecB(g′

i)) ∈ {−1, 0, 1}nδB .

– For i ∈ {1, 2}, compute e⋆i,1 = τ(rdecB(e′

i,1)) ∈ {−1, 0, 1}nℓδB and e⋆i,2 =

τ(rdecB(e′i,2)) ∈ {−1, 0, 1}nℓδB .

Then the equation B · x = p over Rq is equivalent to

[rot(B)] · x⋆ − [H] · τ(rdec(p)) = 0n mod q. (14)

For each i ∈ {1, 2}, each j ∈ [ℓ], let

{yi,j = expd (a⋆

i,j , g⋆i ) ∈ {−1, 0, 1}n2ℓδB ,

zi,j = expd (b⋆i,j , g⋆

i ) ∈ {−1, 0, 1}n2ℓδB .(15)

From Section 4.2, we know that equations in (13) can be written as, for i ∈ {1, 2},{τ(ci,1) = [Q] · (yi,1‖ · · · ‖yi,ℓ) + [Hℓ,B] · e⋆

i,1;

τ(ci,2) = [Q] · (zi,1‖ · · · ‖zi,ℓ) + [Hℓ,B] · e⋆i,2 + ⌊q/4⌋ · τ(rdec(p)).

(16)

Following the procedure in Section 2.6, we form secret vectors w1 ∈ {−1, 0, 1}(kδβ+cdkδβ )n,w2 ∈ {−1, 0, 1}2nmδβ+nℓ+nms of the form:

{w1 = (z⋆ ‖ t0 · z⋆ ‖ . . . ‖ tcd−1 · z⋆);

w2 = (s⋆ ‖ r⋆ ‖ τ(y) ‖ τ(rdec(m))),

where τ(rdec(m))

= (τ(rdec(p))‖τ(rdec(a′1))‖τ(rdec(b′

1))‖τ(rdec(a′2))‖τ(rdec(b′

1)))

= (τ(rdec(p))‖a⋆1,1‖ · · · ‖a⋆

1,ℓ‖b⋆1,1‖ · · · ‖b⋆

1,ℓ‖a⋆2,1‖ · · · ‖a⋆

2,ℓ‖b⋆2,1‖ · · · ‖b⋆

2,ℓ).

29

Since τ(rdec(p)) has been included in w2, we now combine the remaining secretvectors appearing in equations (14), (16) into w3 ∈ {−1, 0, 1}nm+4nℓδB of theform

w3 =(

x⋆ ‖ e⋆1,1 ‖ e⋆

1,2 ‖ e⋆2,1 ‖ e⋆

2,2

)

and w4 ∈ {−1, 0, 1}4n2ℓ2δB of the form

w4 =(y1,1‖ · · · ‖y1,ℓ‖z1,1‖ · · · ‖z1,ℓ‖y2,1‖ · · · ‖y2,ℓ‖z2,1‖ · · · ‖z2,ℓ

)

such that for i ∈ {1, 2}, and j ∈ [ℓ], yi,j , zi,j satisfy the equations in (15).For the sake of simplicity when defining our tailored set VALID and permu-

tation Γη, we rearrange our secret vectors w2,w3 into vector w2 ∈ {−1, 0, 1}L′

2

of the form

w2 =(s⋆ ‖r⋆‖τ(y)‖τ(rdec(p))‖x⋆ ‖e⋆

1,1‖e⋆1,2‖e⋆

2,1‖e⋆2,2

).

and w3 ∈ {−1, 0, 1}4nℓ2

of the form

w3 =(a⋆

1,1 ‖ · · · ‖ a⋆1,ℓ ‖ b⋆

1,1 ‖ · · · ‖b⋆1,ℓ ‖ a⋆

2,1 ‖ · · · ‖ a⋆2,ℓ ‖ b⋆

2,1 ‖ · · · ‖ b⋆2,ℓ

)

with L′2 = 2nmδβ + 2nℓ + nm + 4nℓδB. Now we form our secret vector as

w0 = (w1‖w2‖w3‖w4).

Second, we apply the extension and permutation techniques from Section 2.5and Section 4.1 to our secret vectors w0. Let w′

1 = mix(t, z⋆) ∈ {−1, 0, 1}L1

be the “mixing” vector obtained in equation (9), w′2 = enc(w2) ∈ {−1, 0, 1}L2

w′3 = enc(w3) ∈ {−1, 0, 1}L3, and w′

4 = Mult(w4) ∈ {−1, 0, 1}L4 be of thefollowing form:

(mult(a⋆

1,1,g⋆1) ‖ · · · ‖mult(a⋆

1,ℓ,g⋆1) ‖mult(b⋆

1,1,g⋆1) ‖ · · · ‖mult(b⋆

1,ℓ,g⋆1) ‖

mult(a⋆2,1,g

⋆2) ‖ · · · ‖mult(a⋆

2,ℓ,g⋆2) ‖mult(b⋆

2,1,g⋆2) ‖ · · · ‖mult(b⋆

2,ℓ,g⋆2)

),

Where L1 = 3kδβ +6nkδβcd, L2 = 3L′2, L3 = 12nℓ2, and L4 = 36n2ℓ2δB. Denote

L = L1 + L2 + L3 + L4. Form our extended vector w = (w′1‖w′

2‖w′3‖w′

4) ∈{−1, 0, 1}L.

Following the process in Section 2.6 and Section 4.2, we are able to obtainpublic matrix/vector M and u such that the considered statement is reducedto M · w = u mod q. Therefore, we are prepared to define the set VALID thatincludes our secret vector w, the set S, and the associated permutations {Γη :η ∈ S}, such that the conditions in (1) are satisfied.

Let VALID be the set of all vectors v′ = (v′1‖v′

2‖v′3‖v′

4) ∈ {−1, 0, 1}L such thatthe following requirements hold:

– v′1 = mix(t, z⋆) for some t ∈ {0, 1}cd and z⋆ ∈ {−1, 0, 1}nkδβ .

– v′2 = enc(w2) for some w2 ∈ {−1, 0, 1}L′

2.

– For j ∈ [4ℓ], there exists w3,j ∈ {−1, 0, 1}nℓ and w3 = (w3,1 · · · ‖w3,4ℓ) ∈{−1, 0, 1}4nℓ2

such that v′3 = (enc(w3,1)‖ · · · ‖enc(w3,4ℓ)) = enc(w3).

30

– There exists g⋆1,g

⋆2 ∈ {−1, 0, 1}nδB and w4 ∈ {−1, 0, 1}4n2ℓ2δB be of the

form:

(expd(w3,1,g⋆1)‖ · · · ‖expd(w3,2ℓ,g

⋆1)‖expd(w3,2ℓ+1,g

⋆2)‖ · · · ‖expd(w3,4ℓ,g

⋆2))

such that v′4 = Mult(w4).

It is verifiable that our secret vector w belongs to VALID.

Now let S = {0, 1}cd × {−1, 0, 1}nkδβ × {−1, 0, 1}L′

2 × ({−1, 0, 1}nℓ)4ℓ ×({−1, 0, 1}nδB)2, and associate every element

η = (f1, f2, f3, f4,1, . . . , f4,2ℓ, f5,1, . . . , f5,2ℓ, f6, f7) ∈ S

with Γη that works as follows. For a vector of form v⋆ = (v⋆1‖v⋆

2‖v⋆3‖v⋆

4) ∈ ZL,

where v⋆i ∈ Z

Li for i ∈ {1, 2}, v⋆3 = (v⋆

3,1‖ · · · ‖v⋆3,4ℓ) with v⋆

3,j ∈ Z3nℓ, and

v⋆4 = (v⋆

4,1 · · · ‖v⋆4,4ℓ) with v⋆

4,j ∈ Z9n2ℓδB , it transforms v⋆ into vector Γη(v⋆)

(Ψf1,f2(v⋆

1) ‖Πf3(v⋆

2) ‖Πf4,1

(v⋆3,1) ‖ · · · ‖Πf4,2ℓ

(v⋆3,2ℓ) ‖Πf5,1

(v⋆3,2ℓ+1) ‖ · · · ‖Πf5,2ℓ

(v⋆3,4ℓ)‖

Φf4,1,f6(v⋆

4,1) ‖ · · · ‖Φf4,2ℓ,f6(v⋆

4,2ℓ) ‖Φf5,1,f7(v⋆

4,2ℓ+1) ‖ · · · ‖Φf5,2ℓ,f7(v⋆

4,4ℓ) )

It then follows from the equivalences in (4), (6), and (11) that VALID, S, andΓη satisfy the conditions in (1). Therefore, we have transformed the consideredstatement to a case of the abstract protocol from Section 2.4. To obtain thedesired statistical ZKAoK protocol, it suffices for the prover and verifier to run theinteractive protocol described in Figure 1. The protocol has perfect completeness,soundness error 2/3 and communication cost O(L · log q), which is of the order

O(n2 · log3 n) = O(λ2).

5.2 Description of Our ATS Scheme

We assume there is a trusted setup such that it generates parameters of thescheme. Specifically, it generates a public matrix B for generating users’ keypairs, and two secret-public key pairs of our KOE scheme such that the secret keysare discarded and not known by any party. The group public key then consistsof three parts: (i) the parameters from the trusted setup, (ii) a verification keyof the Ducas-Micciancio signature, (iii) two public keys of our KOE scheme suchthat the group manager knows both secret keys. The issue key is the Ducas-Micciancio signing key, while the opening key is any one of the correspondingsecret keys of the two public keys. Note that both the issue key and the openingkey are generated by the group manager.

When a user joins the group, it first generates a secret-public key pair (x, p)such that B·x = p. It then interacts with the group manager, who will determinewhether user p is traceable or not. If the user is traceable, group manager setsa bit tr = 1, randomizes the two public key generated by himself, and thengenerates a Ducas-Micciancio signature σcert on user public key p and the two

31

randomized public keys (epk1, epk2). If the user is non-traceable, group managersets a bit tr = 0, randomizes the two public key generated from the trusted setup,and then generates a signature on p and epk1, epk2. If it completes successfully,the group manager sends certificate cert = (p, epk1, epk2, σcert) to user p, registersthis user to the group, and keeps himself the witness wescrw that was ever usedfor randomization.

Once registered as a group member, the user can sign messages on behalf ofthe group. To this end, the user first encrypts his public key p twice using his tworandomized public keys, and obtains ciphertexts c1, c2. The user then generatesa ZKAoK such that (i) he has a valid secret key x corresponding to p; (ii) hepossesses a Ducas-Micciancio signature on p and epk1, epk2; and (iii) c1, c2 arecorrect ciphertexts of p under the randomized keys epk1, epk2, respectively. Sincethe ZKAoK protocol the user employs has soundness error 2/3 in each execution,it is repeated κ = ω(logλ) times to make the error negligibly small. Then, it ismade non-interactive via the Fiat-Shamir heuristic [17]. The signature then con-sists of the non-interactive zero-knowledge argument of knowledge (NIZKAoK)Πgs and the two ciphertexts. Note that the ZK argument together with doubleencryption enables CCA-security of the underlying encryption scheme, which isknown as the Naor-Yung transformation [47].

To verify the validity of a signature, it suffices to verify the validity of theargument Πgs. Should the need arises, the group manager can decrypt using hisopening key. If a user is traceable, the opening key group manager possesses canbe used to correctly identify the signer. However, if a user is non-traceable, thenhis anonymity is preserved against the manager.

To prevent corrupted opening, group manager is required to generate aNIZKAoK of correct opening Πopen. Only when Πopen is a valid argument, wethen accept the opening result. Furthermore, there is an additional accountingmechanism for group manager to reveal which users he had chosen to be trace-able. This is done by checking the consistency of tr and the randomized publickeys in user’s certificate with the help of the witness wescrw.

We describe the details of our scheme below.

Setup(λ): Given the security parameter λ, it generates the following public pa-rameter.

– Let n = O(λ) be a power of 2, and modulus q = O(n4), where q = 3k

for k ∈ Z+. Let R = Z[X ]/(Xn + 1) and Rq = R/qR.

Also, let m ≥ 2⌈log q⌉+2, ℓ = ⌊log q−12 ⌋+1, ms = 4ℓ+1, and m = m+k

and ms = ms · ℓ.– Let integer d and sequence c0, . . . , cd be described in Section 2.3.– Let β = O(n) and B = O(

√n) be two integer bounds, and χ be a

B-bounded distribution over the ring R.– Choose a collision-resistant hash function HFS : {0, 1}∗ → {1, 2, 3}κ,

where κ = ω(logλ), which will act as a random oracle in the Fiat-Shamirheuristic [17].

– Choose a statistically hiding and computationally binding commitmentscheme from [22], denoted as COM, which will be employed in our ZK

argument systems.

32

– Let B$←− R1×m

q , a(0)1

$←− Rℓq, a

(0)2

$←− Rℓq, s−1, s−2 ← χ, e−1, e−2 ← χℓ.

Compute

b(0)1 = a

(0)1 · s−1 + e−1 ∈ Rℓ

q; b(0)2 = a

(0)2 · s−2 + e−2 ∈ Rℓ

q.

This algorithm outputs the public parameter pp:

{ n, q, k, R,Rq, ℓ,m,ms,m,ms, d, c0, · · · , cd,

β, B, χ,HFS, κ,COM,B, {a(0)i ,b

(0)i }i∈{1,2} }.

pp is implicit for all algorithms below if not explicitly mentioned.

GKeyGen(pp): On input pp, GM proceeds as follows.– Generate verification key

A,F0 ∈ R1×mq ; A[0], . . . ,A[d] ∈ R1×k

q ; F ∈ R1×ℓq ; F1 ∈ R1×ms

q ; u ∈ Rq

and signing key R ∈ Rm×kq for the Ducas-Micciancio signature from

Section 2.3.– Initialize the Naor-Yung double-encryption mechanism [47] with the key-

oblivious encryption scheme described in Section 3.1. Specifically, sample

s1, s2 ← χ, e1, e2 ← χℓ, a(1)1

$←− Rℓq, a

(1)2

$←− Rℓq and compute

b(1)1 = a

(1)1 · s1 + e1 ∈ Rℓ

q; b(1)2 = a

(1)2 · s2 + e2 ∈ Rℓ

q.

Set the group public key gpk, the issue key ik and the opening key ok asfollows:

gpk = {pp,A, {A[j]}dj=0,F,F0,F1, u, a

(1)1 ,b

(1)1 ,a

(1)2 ,b

(1)2 },

ik = R, ok = (s1, e1).

GM then makes gpk public, sets the registration table reg = ∅ and hisinternal state S = 0.

UKeyGen(pp): Given the public parameter, the user first chooses x ∈ Rm suchthat the coefficients are uniformly chosen from the set {−1, 0, 1}. He thencalculates p = B · x ∈ Rq. Set upk = p and usk = x.

Enroll(gpk, ik, upk, tr): Upon receiving a user public key upk from a user, GM

determines the value of the bit tr ∈ {0, 1}, indicating whether the user istraceable. He then does the following:

– Randomize two pairs of public keys (a(tr)1 ,b

(tr)1 ) and (a

(tr)2 ,b

(tr)2 ) as de-

scribed in Section 3.1. Specifically, sample g1, g2 ← χ, e1,1, e1,2 ← χℓ,e2,1, e2,2 ← χℓ. For each i ∈ {1, 2}, compute

epki = (a′i,b

′i) = (a

(tr)i · gi + ei,1, b

(tr)i · gi + ei,2) ∈ Rℓ

q ×Rℓq. (17)

– Set the tag t = (t0, t1 . . . , tcd−1)⊤ ∈ Td, where S =∑cd−1

j=0 2j · tj , and

compute At = [A|A[0] +∑d

i=1 t[i]A[i]] ∈ R1×(m+k)q .

33

– Let m = (p‖a′1‖b′

1‖a′2‖b′

2) ∈ Rmsq .

– Generate a signature σcert = (t, r,v) on message rdec(m) ∈ Rms - whosecoefficients are in {−1, 0, 1} - using his issue key ik = R. As in Section 2.3,we have r ∈ Rm, v ∈ Rm+k and

{At · v = F · rdec(F0 · r + F1 · rdec(m)) + u,

‖r‖∞ ≤ β, ‖v‖∞ ≤ β.(18)

Set certificate cert and wescrw as follows:

cert = (p, a′1,b

′1,a

′2,b

′2, t, r,v), wescrw = (g1, e1,1, e1,2, g2, e2,1, e2,2).

GM sends cert to the user p, stores reg[S] = (p, tr, wescrw), and updates thestate to S + 1.

Sign(gpk, cert, usk,M): To sign a message M ∈ {0, 1}∗ using the certificatecert = (p, a′

1,b′1,a

′2,b

′2, t, r,v) and usk = x, the user proceeds as follows.

– Encrypt the ring vector rdec(p) ∈ Rℓq whose coefficients are in {−1, 0, 1}

twice. Namely, sample g′1, g

′2 ← χ, e′

1,1, e′1,2 ← χℓ, and e′

2,1, e′2,2 ← χℓ.

For each i ∈ {1, 2}, compute ci = (ci,1, ci,2) ∈ Rℓq ×Rℓ

q as follows:

ci,1 = a′i · g′

i + e′i,1; ci,2 = b′

i · g′i + e′

i,2 + ⌊q/4⌋ · rdec(p).

– Generate a NIZKAoK Πgs to demonstrate the possession of a valid tupleζ of the following form

ζ = (p, a′1,b

′1,a

′2,b

′2, t, r,v,x, g

′1, e

′1,1, e

′1,2, g

′2, e

′2,1, e

′2,2) (19)

such that(i) The conditions in (18) are satisfied.

(ii) c1 and c2 are correct encryptions of rdec(p) with B-bounded ran-domness g′

1, e′1,1, e

′1,2 and g′

2, e′2,1, e

′2,2, respectively.

(iii) ‖x‖∞ ≤ 1 and B · x = p.

This is achieved by running the protocol from Section 5.1, which is re-peated κ = ω(logλ) times and made non-interactive via Fiat-Shamirheuristic [17] as a triple Πgs = ({CMTi}κ

i=1,CH, {RSPi}κi=1) where the

challenge CH is generated as CH = HFS(M, {CMTi}κi=1, ξ) with ξ of the

following form

ξ = (A,A[0], . . . ,A[d],F,F0,F1, u,B, c1, c2) (20)

– Output the group signature Σ = (Πgs, c1, c2).

Verify(gpk,M,Σ): Given the inputs, the verifier performs in the following man-ner.

– Parse Σ as Σ =({CMTi}κ

i=1, (Ch1, . . . , Chκ), {RSP}κi=1, c1, c2

).

If (Ch1, . . . , Chκ) 6= HFS

(M, {CMTi}κ

i=1, ξ), output 0, where ξ is as

in (20).

34

– For each i ∈ [κ], run the verification phase of the protocol in Section 5.1to verify the validity of RSPi corresponding to CMTi and Chi. If any ofthe verification process fails, output 0.

– Output 1.

Open(gpk, ok,M,Σ): Let ok = (s1, e1) and Σ = (Πgs, c1, c2). The group man-ager proceeds as follows.

– Use s1 to decrypt c1 = (c1,1, c1,2) as in the decryption algorithm fromSection 3.1. The result is p′ ∈ Rq.

– He then searches the registration information. If reg does not include anelement p′, then return ⊥.

– Otherwise, he produces a NIZKAoK Πopen to show the knowledge of atuple (s1, e1,y) ∈ Rq ×Rℓ

q ×Rℓq such that the following conditions hold.

‖s1‖∞ ≤ B; ‖e1‖∞ ≤ B; ‖y‖∞ ≤ ⌈q/10⌉;a

(1)1 · s1 + e1 = b

(1)1 ;

c1,2 − c1,1 · s1 = y + ⌊q/4⌋ · rdec(p′).

(21)

Since the conditions in (21) only encounter linear secret objects withbounded norm, we can easily handled them using the Stern-like tech-niques from Sections 4.2 and 5.1. Therefore, we are able to have a sta-tistical ZKAoK for the above statement. Furthermore, the protocol is re-peated κ = ω(logλ) times and made non-interactive via the Fiat-Shamirheuristic, resulting in a triple ΠOpen = ({CMTi}κ

i=1,CH, {RSP}κi=1),

where CH ∈ {1, 2, 3}κ is computed as

CH = HFS

({CMTi}κ

i=1,a(1)1 ,b

(1)1 ,M,Σ, p′

). (22)

– Output (p′, ΠOpen).

Judge(gpk,M,Σ, p′, Πopen): Given all the inputs, this algorithm does the follow-ing.

– If Verify algorithm outputs 0 or p′ = ⊥, return 0.– This algorithm then verifies the argumentΠOpen with respect to common

input (a(1)1 ,b

(1)1 ,M,Σ, p′), in the same way as in the algorithm Verify. If

verification of the argument Πopen fails, output 0.– Else output 1.

Account(gpk, cert, wescrw, tr): Let the certificate be cert = (p, a′1,b

′1,a

′2,b

′2, t, r,v)

and witness be wescrw = (g1, e1,1, e1,2, g2, e2,1, e2,2) and the bit tr, this algo-rithm proceeds as follows.

– It checks whether (t, r,v) is a valid Ducas-Micciancio signature on themessage (p, a′

1,b′1,a

′2,b

′2). Specifically, it verifies whether cert satisfies

the conditions in (18). If not, output 0.– Otherwise, it then checks if (a′

1,b′1) and (a′

2,b′2) are randomization of

(a(tr)1 , (b

(tr)1 ) and (a

(tr)2 , (b

(tr)2 ) with respect to randomness (g1, e1,1, e1,2)

and (g2, e2,1, e2,2), respectively. Specifically, it verifies whether the con-ditions in (17) hold. If not, output 0.

– Else output 1.

35

5.3 Analysis of Our ATS Scheme

Efficiency. We first analyze the efficiency of our scheme from Section 5.2 interms of the security parameter λ.

– The bit-size of the public key gpk is of order O(λ · log3 λ) = O(λ).

– The bit-size of the membership certificate cert is of orderO(λ·log2 λ) = O(λ).

– The bit-size of a signatureΣ is determined by that of the Stern-like NIZKAoK

Πgs, which is of order O(L · log q) ·ω(logλ), where L is the bit-size of a vectorw ∈ VALID from Section 5.1. Recall O(L · log q) = O(λ2 · log3 λ). Therefore,

the bit-size of Σ is of order O(λ2 · log3 λ) · ω(logλ) = O(λ2).

– The bit-size of the Stern-like NIZKAoK Πopen is of order O(λ · log3 λ) ·ω(logλ) = O(λ).

Correctness. For an honestly generated signature Σ for message M , we firstshow that the Verify algorithm always outputs 1. Due to the honest behavior ofthe user, when signing a message in the name of the group, this user possessesa valid tuple ζ of the form (19). Therefore, Πgs will be accepted by the Verify

algorithm with probability 1 due to the perfect completeness of our argumentsystem.

If an honest user is traceable, then Account(gpk, cert, wescrw, 1) will output 1,implied by the correctness of Ducas-Micciancio signature scheme and honestbehaviour of group manager. In terms of the correctness of the Open algorithm,we observe that c1,2 − c1,1 · s1 =

(b(tr)1 − a

(tr)1 ·s1) ·g1 ·g′

1 + e1,2 ·g′1 − e1,1 ·s1 ·g′

1 + e′1,2 − e′

1,1 ·s1 + ⌊q/4⌋ · rdec(p),

denoted as e + ⌊q/4⌋ · rdec(p). In this case, tr = 1, b(tr)1 − a

(tr)1 · s1 = e1, and

‖e‖∞ ≤⌈

q10

⌉. The decryption can recover rdec(p) and hence the real signer

due to the correctness of our key-oblivious encryption from Section 3.1. Thus,correctness of the Open algorithm follows. What is more, Πopen will be acceptedby the Judge algorithm with probability 1 due to the perfect completeness of ourargument system.

If an honest user is non-traceable, then again Account(gpk, cert, wescrw, 1) will

output 1. For the Open algorithm, since b(0)1 − a

(0)1 · s1 = a

(0)1 · (s−1− s1) + e−1,

then we obtain

c1,2 − c1,1 · s1 = a(0)1 · (s−1 − s1) · g1 · g′

1 + e + ⌊q/4⌋ · rdec(p),

where ‖e‖∞ ≤⌈

q10

⌉. Observe that a

(0)1

$←− Rℓq, and s−1 6= s1 with overwhelming

probability. Over the randomness of g1, g′1, the decryption algorithm described

in Section 3.1 will output a random element p′ ∈ Rq. Then, with overwhelmingprobability, p′ is not in the registration table and the Open algorithm outputs ⊥.It then follows that our scheme is correct.

Security. In Theorem 3, we prove that our scheme satisfies the security require-ments of accountable tracing signatures, as specified by Kohlweiss and Miers.

36

Theorem 3. Under the RLWE and RSIS assumptions, the accountable tracingsignature scheme described in Section 5.2 satisfies the following requirementsin the random oracle model: (i) anonymity under tracing; (ii) traceability; (iii)non-frameability; (iv) anonymity with accountability; and (v) trace-obliviousness.

For the proofs of traceability and non-frameability, the lemma below from [36]is needed.

Lemma 5 ([36]). Let B ∈ R1×mq , where m ≥ 2⌈log q⌉ + 2. If x is a uniform

element over Rm with ‖x‖∞ ≤ 1, then with probability at least 1 − 2−n, thereexists a different x′ ∈ Rm with ‖x′‖∞ ≤ 1 and B · x′ = B · x ∈ Rq.

The proof of the Theorem 3 follows from Lemma 6-10 given below.

Lemma 6. Assuming the hardness of the RLWE problem, in the random ora-cle model, the given accountable tracing signature scheme is anonymous undertracing.

Proof. We prove this lemma using a series of indistinguishable games. In theinitial game, the challenger runs the experiment ExpAuT−0

ATS,A (λ) while in the last

game, the challenger runs the experiment ExpAuT−1ATS,A (λ). Let Wi be the event

that the adversary outputs 1 in Game i.

Game 0: This is exactly the experiment ExpAuT−0ATS,A (λ), where the adversary

receives a challenged signature (Π∗gs, c

∗1, c

∗2) ← Sign(gpk, cert0, usk0,M) in

the challenge phase with p0 = B · usk0. So Pr[W0] = Pr[ExpAuT−0ATS,A (λ) = 1].

Game 1: We modify Game 0 as follows: the challenger will keep decryption key(s2, e2) secret (by himself) instead of erasing it. However, the view of theadversary A is still the same as in Game 0. Therefore, Pr[W0] = Pr[W1].

Game 2: This game is the same as Game 1 with one exception: it generatessimulated proofs for the opening oracle queries by programming the randomoracle HFS. Note that the challenger still follows the original game (that is,it uses s1 to decrypt c1) to identify the real signer. The views of A in Game1 and Game 2 are statistically close due to the statistical zero-knowledge

property of our argument system. Therefore Pr[W1]s≈ Pr[W2].

Game 3: This game modifies Game 2 as follows. It uses s2 instead of s1 toanswer the opening oracle queries. In other words, it now uses s2 to decryptc2 to identify the signer. The view of the adversary in this game is identi-cal to that in Game 2 until event F1, where A queries the opening oraclea valid signature (Πgs, c1, c2) with c1, c2 encrypting distinct messages, hap-pens. Since the event F1 violates the soundness of our argument system, wehave |Pr[W2]− Pr[W3]| ≤ Pr[F1] ≤ Advsound

Πgs(λ) = negl(λ).

Game 4: This game changes Game 3 as follows. It generates a simulated proofΠ∗

gs in the challenge phase even though the challenger has the correct witnessto generate a real proof. Due to the statistical zero-knowledge property of our

argument system, this change is negligible to A. Therefore Pr[W3]s≈ Pr[W4].

37

Game 5: In this game, we modify Game 4 by modifying the distribution of thechallenged signature Σ∗ = (Π∗

gs, c∗1, c

∗2) as follows. For i ∈ {0, 1}, parse

certi = (pi,a′1,i,b

′1,i,a

′2,i,b

′2,i, ti, ri,vi). Recall that in Game 4, both c∗

1

and c∗2 encrypt the same message, i.e., rdec(p0), under the randomized key

(a′1,0,b

′1,0) and (a′

2,0,b′2,0), respectively. Here we change c∗

1 to be encryptionof rdec(p1) and keep c∗

2 unchanged. By the semantic security under key ran-

domization of our key oblivious encryption scheme for public key (a(1)1 ,b

(1)1 )

(which is implied by the RLWE assumption since we no longer use s1 to opensignatures), the change made in this game is negligible to the adversary.Therefore we have |Pr[W4]− Pr[W5]| = negl(λ).

Game 6: In this game, we further modify the distribution of the challengedsignature Σ∗. We change c∗

1 to be encryption of rdec(p1) under a fresh andthen randomized key. By the property of key privacy under key randomiza-tion of our key-oblivious encryption scheme, the change made in this game isnegligible to the adversary. Therefore we have |Pr[W5]−Pr[W6]| = negl(λ).

Game 7: In this game, we again modify the distribution of the challenged signa-ture Σ∗. We change c∗

1 to be encryption of rdec(p1) under the randomized key(a′

1,1,b′1,1). By the same argument of indistinguishability between Game 6

and Game 5, we have |Pr[W6]− Pr[W7]| = negl(λ).

Game 8: This game is the same as Game 7 with one modification: it changesback to s1 for the opening oracle queries and erases (s2, e2) again. Thischange is indistinguishable to A until event F2, where A queries a validsignature (Πgs, c1, c2) with c1, c2 encrypting different messages to the open-ing oracle, occurs. Since event F2 violates the simulation soundness of ourargument system, we have |Pr[W7]− Pr[W8]| ≤ Advss

Πgs(λ) = negl(λ).

Game 9: In this game, we modify Game 8 by modifying the distribution of thechallenged signature Σ∗ = (Π∗

gs, c∗1, c

∗2) again. It changes c∗

2 to be encryptionof rdec(p1) under the randomized key (a′

2,1,b′2,1) in the challenge phase. By

the same argument of indistinguishability from Game 4 to Game 7, we have|Pr[W8]− Pr[W9]| = negl(λ).

Game 10: Note that in Game 9, both c∗1 and c∗

2 encrypt the same message, i.e.,rdec(p1), under the randomized key (a′

1,1,b′1,1) and (a′

2,1,b′2,1), respectively.

Therefore, the challenger has correct witness to generate Π∗gs. In this game,

we modify Game 9 by switching back to a real proof Π∗gs in the challenge

phase. Then the views of A in Game 9 and Game 10 are statistically in-distinguishable by the statistical zero-knowledge property of our argument

system. Hence Pr[W9]s≈ Pr[W10].

Game 11: This game changes Game 10 in one aspect. It now generates realproofs for the opening oracle queries. Due to the statistical zero-knowledgeproperty of our argument system, Game 10 and Game 11 are statistically in-

distinguishable to A. In other words, we have Pr[W10]s≈ Pr[W11]. This is in-

deed the experiment ExpAuT−1ATS,A (λ). Hence, we have Pr[W11] = Pr[ExpAuT−1

ATS,A (λ) =1].

38

As a result, we obtain

|Pr[ExpAuT−1ATS,A (λ) = 1]− Pr[ExpAuT−0

ATS,A (λ) = 1]| = negl(λ),

and hence our scheme is anonymous under tracing.

Lemma 7. Assuming the hardness of the RSIS problem, in the random oraclemodel, the given accountable tracing signature scheme is traceable .

Proof. We show that the success probability ǫ of A against traceability is neg-ligible by the unforgeability of the Ducas-Micciancio signature recalled in Sec-tion 2.3, which in turn relies on the hardness of the RSIS problem, or by thehardness of solving a RSIS instance directly.

Let C be the challenger and honestly run the experiment ExpTraceATS,A(λ). When

A halts, it outputs (M∗, Π∗gs, c

∗1, c

∗2). Let us consider the case that A wins. Parse

Π∗gs = ({CMT∗

i }κi=1,CH∗, {RSP∗

i }κi=1). Let

ξ∗ = (A,A[0], . . . ,A[d],F,F0,F1, u,B, c∗1, c

∗2).

Then CH∗ = HFS

(M∗, {CMT∗

i }κi=1, ξ

∗)

and for each i ∈ [κ], RSP∗i is a valid

response corresponding to CMT∗i and CH∗

i . This is due to the fact that A winsand hence Π∗

gs passes the verification process.

We remark that A had queried the tuple(M∗, {CMT∗

i }κi=1, ξ

∗)

to the hashoracle HFS with all but negligible probability. Since we can only guess correctlythe value HFS

(M∗, {CMT∗

i }κi=1, ξ

∗)

with probability 3−κ, which is negligible.

Therefore, A had queried the tuple(M∗, {CMT∗

i }κi=1, ξ

∗)

to HFS with probabil-ity ǫ′ = ǫ− 3−κ. Let this tuple be the θ∗-th oracle query made by A and assumeA had made QH queries in total.

Up to this point, the challenger C then replays the behaviour of A for atmost 32 · QH/ǫ

′ times. In each new replay, A is given the same hash answersr1, . . . , rθ∗−1 as in the original run for the first θ∗−1 hash queries while it is givenuniformly random and independent values r′

θ∗ , . . . , r′QH

for the remaining hashqueries. According to the forking lemma of Brickell et al. [11], with probability≥ 1/2, B obtains 3-fork involving the same tuple

(M∗, {CMT∗

i }κi=1, ξ

∗)

with

pairwise distinct hash values CH(1)θ∗ ,CH

(2)θ∗ ,CH

(3)θ∗ ∈ {1, 2, 3}κ and corresponding

valid responses RSP(1)θ∗ , RSP

(2)θ∗ , RSP

(3)θ∗ . We observe that with probability 1 −

(79 )κ, there exists some j ∈ {1, 2, . . . , κ} such that {CH

(1)θ∗,j,CH

(2)θ∗,j ,CH

(3)θ∗,j} =

{1, 2, 3}.In other words, we obtain three valid responses RSP

(1)θ∗,j , RSP

(2)θ∗,j, RSP

(3)θ∗,j

for all the challenges 1, 2, 3 with respect to the same commitment CMT∗j . Due

to the computational binding property of the COM scheme, C is able to extractζ∗ of form

ζ∗ = (p∗,a∗1 ,b

∗1,a

∗2 ,b

∗2, t

∗, r∗,v∗,x∗, g∗1 , e

∗1,1, e

∗1,2, g

∗2 , e

∗2,1, e

∗2,2)

39

such that t∗ ∈ Td, r∗,v∗ have infinity bound β, g∗1, e

∗1,1, e

∗1,2, g

∗2 , e

∗2,1, e

∗2,2 have

infinity bound B, x∗ has infinity bound 1; and equations B · x∗ = p∗ and

At∗ · v∗ = u+ F · rdec(F0 · r∗ + F1 · rdec(p∗‖a∗1‖b∗

1‖a∗2‖b∗

2))

hold, and c∗1, c

∗2 are ciphertexts of rdec(p∗) under the key (a∗

1 ,b∗1) and (a∗

2 ,b∗2)

with randomness (g∗1 , e

∗1,1, e

∗1,2) and (g∗

2 , e∗2,1, e

∗2,2), respectively.

Since A wins the game, then either (i) the Open algorithm outputs ⊥ or (ii)the Open algorithm outputs (p′, Π∗

open) with p′ 6= ⊥ but the proof Π∗open is not

accepted by the Judge algorithm.

By the unforgeability of the underlying signature scheme, with overwhelmingprobability, (p∗,a∗

1 ,b∗1,a

∗2 ,b

∗2, t

∗, r∗,v∗) is a certificate returned by the Enroll

oracle. In other words, p∗ is a registered user. If p∗ is a non-traceable user, thenA does not hold the user secret key of p∗, denoted as x′. Note that this is ensuredby the definition of traceability described in Section 2.8. With probability ≥ 1/2,x∗ 6= x′ by Lemma 5, in which case we obtain a vector y = x∗ − x′ 6= 0 so thatB·y = 0 and ‖y‖∞ ≤ ‖x∗‖∞+‖x′‖∞ ≤ 2. This solves a RSIS instance. Therefore,the Open algorithm outputs ⊥ with negligible probability. In other words, case(i) happens with negligible probability. On the other hand, if p∗ is a traceableuser. Then by the correctness of the underlying encryption scheme, the Open

algorithm will output p∗. Furthermore, by the honest behaviour of decryption(performed by the honest challenger), the Judge algorithm always outputs 1. Thisimplies case (ii) occurs with negligible probability. This concludes the proof.

Lemma 8. Assuming the hardness of the RSIS problem, in the random oraclemodel, the given accountable tracing signature scheme is non-frameable.

Proof. We show that the success probability ǫ of A against non-frameability isnegligible assuming the hardness of solving a RSIS instance.

Let C be the challenger and faithfully run the experiment ExpNFATS,A(λ). When

A halts, it outputs the tuple (M∗, Π∗gs, c

∗1, c

∗2, p

∗, Π∗open). Let us consider the case

that A wins.The fact that A wins the game implies (Π∗

gs, c∗1, c

∗2) is a valid signature of

the message M∗ that was not obtained from queries. By the same extractiontechnique as in Lemma 7, we can extract witness x′ ∈ Rm

q and p′ ∈ Rq suchthat ‖x′‖∞ ≤ 1, B ·x′ = p′ and c∗

1, c∗2 are correct encryptions of rdec(p′). By the

correctness of the underlying encryption scheme, c∗1 will be decrypted to p′.

The fact that A wins the game also implies Π∗open passes the verification

process of the Judge algorithm. Due to the soundness of the argument systemthat is used to generate Π∗

open, c∗1 will be decrypted to p∗. Hence we have p′ = p∗.

We observe that A wins the game also implies that A does not know the usersecret key x∗ that corresponds to p∗. Thus we obtain: B · x′ = p′ = p∗ = B · x∗,where ‖x∗‖∞ ≤ 1. Lemma 5 implies that x′ 6= x∗ with probability at least 1/2.If they are not equal, we obtain a vector y = x′−x∗ 6= 0 such that B ·y = 0 and‖y‖∞ ≤ ‖x∗‖∞ +‖x′‖∞ ≤ 2. However, under the hardness of the RSIS problem,the success probability of A is negligible. This concludes the proof.

40

Lemma 9. Assuming the hardness of the RLWE problem, in the random ora-cle model, the given accountable tracing signature scheme is anonymous withaccountability.

Proof. The proof of this lemma is similar to Lemma 6 except that we do not needto switch between two decryption keys. This is because the randomized keys in

the certificate of the challenged users are obtained from the pairs (a(0)1 ,b

(0)1 ) and

(a(0)2 ,b

(0)2 ), which are not related to the opening key. The details are omitted

here.

Lemma 10. Assuming the hardness of the RLWE problem, in the random oraclemodel, the given accountable tracing signature scheme is trace-oblivious.

Proof. We proceed through a sequence of hybrids. Let Wi be the event thatadversary outputs 1 in Game i.

Game 0: Let this game be the experiment ExpTO−0ATS,A(λ), where the adversary

receives cert for user p of his choice. Parse cert as (p, a′1,b

′1,a

′2,b

′2, t, r,v).

Note that (a′1,b

′1) and (a′

2,b′2) are randomized keys from (a

(0)1 ,b

(0)1 ) and

(a(0)2 ,b

(0)2 ), respectively. We then have Pr[W0] = Pr[ExpTO−0

ATS,A(λ) = 1].

Game 1: We modify Game 0 by replacing (a′1,b

′1) with a new fresh key (a1, b1)

generated by the KeyGen algorithm of our KOE scheme. It then follows fromthe key randomizability of our encryption scheme, this modification is neg-ligible to the adversary. Therefore, we have |Pr[W0]− Pr[W1]| = negl(λ).

Game 2: We modify Game 1 by replacing (a′2,b

′2) with a new fresh key (a2, b2)

as in Game 1. By the same argument, we have |Pr[W1]−Pr[W2]| = negl(λ).

Game 3: We change Game 2 by replacing (a2, b2) with (a′2,b

′2) that are ran-

domized key from (a(1)2 ,b

(1)2 ). By the key randomizability of our encryption

scheme, we have |Pr[W2]− Pr[W3]| = negl(λ).

Game 4: We change Game 3 by replacing (a1, b1) with (a′1,b

′1) that are ran-

domized key from (a(1)1 ,b

(1)1 ). We then have |Pr[W3] − Pr[W4]| = negl(λ).

This is exactly the experiment ExpTO−1ATS,A(λ). Therefore, we obtain Pr[W4] =

Pr[ExpTO−1ATS,A(λ) = 1].

Therefore, we obtain |Pr[ExpTO−1ATS,A(λ) = 1] − Pr[ExpTO−0

ATS,A(λ) = 1]| = negl(λ).This implies that our scheme is trace-oblivious.

Acknowledgements

The research is supported by Singapore Ministry of Education under ResearchGrant MOE2016-T2-2-014(S). Khoa Nguyen is also supported by the Gopalakr-ishnan – NTU Presidential Postdoctoral Fellowship 2018.

41

References

1. G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provablysecure coalition-resistant group signature scheme. In CRYPTO 2000, volume 1880of LNCS, pages 255–270. Springer, 2000.

2. M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: For-mal definitions, simplified requirements, and a construction based on general as-sumptions. In EUROCRYPT 2003, volume 2656 of LNCS, pages 614–629. Springer,2003.

3. M. Bellare, H. Shi, and C. Zhang. Foundations of group signatures: The case ofdynamic groups. In CT-RSA 2005, volume 3376 of LNCS, pages 136–153. Springer,2005.

4. F. Benhamouda, J. Camenisch, S. Krenn, V. Lyubashevsky, and G. Neven. Betterzero-knowledge proofs for lattice encryption and their application to group sig-natures. In ASIACRYPT 2014, volume 8873 of LNCS, pages 551–572. Springer,2014.

5. F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Pietrzak. Efficient zero-knowledge proofs for commitments from learning with errors over rings. In ES-

ORICS 2015, volume 9326 of LNCS, pages 305–325. Springer, 2015.6. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In CRYPTO 2004,

volume 3152 of LNCS, pages 41–55. Springer, 2004.7. D. Boneh and H. Shacham. Group signatures with verifier-local revocation. In

CCS 2004, pages 168–177. ACM, 2004.8. J. Bootle, A. Cerulli, P. Chaidos, E. Ghadafi, and J. Groth. Foundations of fully

dynamic group signatures. In ACNS 2016, volume 9696 of LNCS, pages 117–136,2016.

9. C. Boschini, J. Camenisch, and G. Neven. Floppy-sized group signatures fromlattices. In ACNS 2018, volume 10892 of LNCS, pages 163–182. Springer, 2018.

10. Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (leveled) fully homomorphicencryption without bootstrapping. In ITCS 2012, pages 309–325. ACM, 2012.

11. E. F. Brickell, D. Pointcheval, S. Vaudenay, and M. Yung. Design validations fordiscrete logarithm based signature schemes. In PKC 2000, volume 1751 of LNCS,pages 276–292. Springer, 2000.

12. J. Camenisch, G. Neven, and M. Ruckert. Fully anonymous attribute tokens fromlattices. In SCN 2012, volume 7485 of LNCS, pages 57–75. Springer, 2012.

13. D. Chaum and E. van Heyst. Group signatures. In EUROCRYPT 1991, volume547 of LNCS, pages 257–265. Springer, 1991.

14. S. Cheng, K. Nguyen, and H. Wang. Policy-based signature scheme from lattices.Des. Codes Cryptography, 81(1):43–74, 2016.

15. L. Ducas and D. Micciancio. Improved short lattice signatures in the standardmodel. In CRYPTO 2014, volume 8616 of LNCS, pages 335–352. Springer, 2014.

16. L. Ducas and D. Micciancio. Improved short lattice signatures in the standardmodel. IACR Cryptology ePrint Archive, 2014:495, 2014.

17. A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identificationand signature problems. In CRYPTO 1986, volume 263 of LNCS, pages 186–194.Springer, 1986.

18. T. E. Gamal. A public key cryptosystem and a signature scheme based on discretelogarithms. In CRYPTO 1984, volume 196 of LNCS, pages 10–18, 1984.

19. C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices andnew cryptographic constructions. In STOC 2008, pages 197–206. ACM, 2008.

42

20. S. D. Gordon, J. Katz, and V. Vaikuntanathan. A group signature scheme fromlattice assumptions. In ASIACRYPT 2010, volume 6477 of LNCS, pages 395–412.Springer, 2010.

21. A. Jain, S. Krenn, K. Pietrzak, and A. Tentes. Commitments and efficient zero-knowledge proofs from learning parity with noise. In ASIACRYPT 2012, volume7658 of LNCS, pages 663–680. Springer, 2012.

22. A. Kawachi, K. Tanaka, and K. Xagawa. Concurrently secure identificationschemes based on the worst-case hardness of lattice problems. In ASIACRYPT

2008, volume 5350 of LNCS, pages 372–389. Springer, 2008.23. A. Kiayias, Y. Tsiounis, and M. Yung. Traceable signatures. In EUROCRYPT

2004, volume 3027 of LNCS, pages 571–589. Springer, 2004.24. A. Kiayias and M. Yung. Secure scalable group signature with dynamic joins and

separable authorities. Int. Journal of Security and Networks, 1(1):24–45, 2006.25. M. Kohlweiss and I. Miers. Accountable metadata-hiding escrow: A group signature

case study. PoPETs, 2015(2):206–221, 2015.26. F. Laguillaumie, A. Langlois, B. Libert, and D. Stehle. Lattice-based group sig-

natures with logarithmic signature size. In ASIACRYPT 2013, volume 8270 ofLNCS, pages 41–61. Springer, 2013.

27. A. Langlois and D. Stehle. Worst-case to average-case reductions for module lat-tices. Des. Codes Cryptography, 75(3):565–599, 2015.

28. B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang. Signature schemeswith efficient protocols and dynamic group signatures from lattice assumptions. InASIACRYPT 2016, volume 10032 of LNCS, pages 373–403. Springer, 2016.

29. B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang. Zero-knowledgearguments for matrix-vector relations and lattice-based group encryption. In ASI-

ACRYPT 2016, volume 10032 of LNCS, pages 101–131. Springer, 2016.30. B. Libert, S. Ling, K. Nguyen, and H. Wang. Zero-knowledge arguments for lattice-

based accumulators: Logarithmic-size ring signatures and group signatures withouttrapdoors. In EUROCRYPT 2016, volume 9666 of LNCS, pages 1–31. Springer,2016.

31. B. Libert, F. Mouhartem, and K. Nguyen. A lattice-based group signature schemewith message-dependent opening. In ACNS 2016, volume 9696 of LNCS, pages137–155. Springer, 2016.

32. S. Ling, K. Nguyen, A. Roux-Langlois, and H. Wang. A lattice-based group signa-ture scheme with verifier-local revocation. Theor. Comput. Sci., 730:1–20, 2018.

33. S. Ling, K. Nguyen, D. Stehle, and H. Wang. Improved zero-knowledge proofs ofknowledge for the ISIS problem, and applications. In PKC 2013, volume 7778 ofLNCS, pages 107–124. Springer, 2013.

34. S. Ling, K. Nguyen, and H. Wang. Group signatures from lattices: Simpler, tighter,shorter, ring-based. In PKC 2015, volume 9020 of LNCS, pages 427–449. Springer,2015.

35. S. Ling, K. Nguyen, H. Wang, and Y. Xu. Lattice-based group signatures: Achiev-ing full dynamicity with ease. In ACNS 2017, volume 10355 of LNCS, pages293–312. Springer, 2017.

36. S. Ling, K. Nguyen, H. Wang, and Y. Xu. Constant-size group signatures fromlattices. In PKC 2018, volume 10770 of LNCS, pages 58–88. Springer, 2018.

37. V. Lyubashevsky. Fiat-shamir with aborts: Applications to lattice and factoring-based signatures. In ASIACRYPT 2009, volume 5912 of LNCS, pages 598–616.Springer, 2009.

38. V. Lyubashevsky. Lattice signatures without trapdoors. In EUROCRYPT 2012,volume 7237 of LNCS, pages 738–755. Springer, 2012.

43

39. V. Lyubashevsky and D. Micciancio. Generalized compact knapsacks are collisionresistant. In ICALP 2006, volume 4052 of LNCS, pages 144–155. Springer, 2006.

40. V. Lyubashevsky, D. Micciancio, C. Peikert, and A. Rosen. SWIFFT: A modestproposal for FFT hashing. In FSE 2008, volume 5086 of LNCS, pages 54–72.Springer, 2008.

41. V. Lyubashevsky and G. Neven. One-shot verifiable encryption from lattices. InEUROCRYPT 2017, volume 10210 of LNCS, pages 293–323. Springer, 2017.

42. V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning witherrors over rings. In EUROCRYPT 2010, volume 6110 of LNCS, pages 1–23.Springer, 2010.

43. V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning witherrors over rings. J. ACM, 60(6):43:1–43:35, 2013.

44. V. Lyubashevsky and G. Seiler. Short, invertible elements in partially splittingcyclotomic rings and applications to lattice-based zero-knowledge proofs. In EU-

ROCRYPT 2018, volume 10820 of LNCS, pages 204–224. Springer, 2018.45. D. Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-

way functions. Computational Complexity, 16(4):365–411, 2007.46. D. Micciancio and C. Peikert. Trapdoors for lattices: Simpler, tighter, faster,

smaller. In EUROCRYPT 2012, volume 7237 of LNCS, pages 700–718. Springer,2012.

47. M. Naor and M. Yung. Public-key cryptosystems provably secure against chosenciphertext attacks. In STOC 1990, pages 427–437. ACM, 1990.

48. P. Q. Nguyen, J. Zhang, and Z. Zhang. Simpler efficient group signatures fromlattices. In PKC 2015, volume 9020 of LNCS, pages 401–426. Springer, 2015.

49. C. Peikert, O. Regev, and N. Stephens-Davidowitz. Pseudorandomness of ring-lwefor any ring and modulus. In STOC 2017, pages 461–473. ACM, 2017.

50. C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case as-sumptions on cyclic lattices. In TCC 2006, volume 3876 of LNCS, pages 145–166.Springer, 2006.

51. R. D. Pino, V. Lyubashevsky, and G. Seiler. Lattice-based group signatures andzero-knowledge proofs of automorphism stability. IACR Cryptology ePrint Archive,2018:779, 2018. Accepted to ACM CCS 2018.

52. O. Regev. On lattices, learning with errors, random linear codes, and cryptography.In STOC 2005, pages 84–93. ACM, 2005.

53. Y. Sakai, K. Emura, G. Hanaoka, Y. Kawai, T. Matsuda, and K. Omote. Groupsignatures with message-dependent opening. In Pairing 2012, volume 7708 ofLNCS, pages 270–294. Springer, 2012.

54. Y. Sakai, J. C. N. Schuldt, K. Emura, G. Hanaoka, and K. Ohta. On the securityof dynamic group signatures: Preventing signature hijacking. In PKC 2012, volume7293 of LNCS, pages 715–732. Springer, 2012.

55. P. W. Shor. Algorithms for quantum computation: Discrete logarithms and fac-toring. In FOCS 1994, pages 124–134. IEEE Computer Society, 1994.

56. D. Stehle, R. Steinfeld, K. Tanaka, and K. Xagawa. Efficient public key encryptionbased on ideal lattices. In ASIACRYPT 2009, volume 5912 of LNCS, pages 617–635. Springer, 2009.

57. J. Stern. A new paradigm for public key identification. IEEE Trans. Information

Theory, 42(6):1757–1768, 1996.58. K. Xagawa. Improved (hierarchical) inner-product encryption from lattices. IACR

Cryptology ePrint Archive, 2015:249, 2015.

44